z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Defining users

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

As a general objective, all users should be defined to RACF®. Users who are not defined to RACF can use the system virtually unimpeded, unless, of course, they attempt to access data to which they are unauthorized.

The users you must initially define are those you have selected for the pilot project and the central core of personnel who maintain and operate the system itself. Other users can then be defined as determined by convenience and the priority of their security needs.

You should consider defining the following users to RACF:
  • Interactive users of CICS®, IMS™, TSO/E, NetView®, or other products that support logging on at a terminal.
  • z/OS UNIX users. You use RACF commands to define users to z/OS UNIX. The z/OS UNIX attributes are kept in the OMVS segment of the user's profile and can be specified in addition to any existing attributes. The new attributes extend the user's capabilities to include the use of z/OS UNIX functions. In order to use z/OS UNIX services, a user must have z/OS UNIX attributes defined, such as an z/OS UNIX user identifier (UID) in his or her user profile and a z/OS UNIX group identifier (GID) in the group profile of his or her current connect group (the user's default group or the one specified on the TSO LOGON screen or job card). For more information, see RACF and z/OS UNIX.
  • Users who submit batch jobs without first logging on to a terminal (such as through a physical card reader).
  • MVS™ or JES system operators. You should work with your MVS or JES system programmer to determine which MVS and JES system operators should be defined to RACF. For more information, see Defining and grouping operators.
  • Started procedures.
  • Node names in an NJE network.
  • RJP or RJE remote workstations or nodes.
  • Console IDs if LOGON(AUTO) is specified in the CONSOLxx member of SYS1.PARMLIB. For more information, see z/OS MVS Initialization and Tuning Reference.
There are some advantages in defining all users to RACF:
  • Defining all users provides for better administrative control over who is using the system. This in turn can reduce misuse of system resources.
  • Attempted violations by undefined users are difficult to investigate, because they do not have user IDs that are associated with real persons or processes.

Whether all users are eventually defined to RACF is your decision. You might deem individual accountability for a certain segment of the user population unnecessary in some cases. Note that this can reduce your ability to determine exactly who took security-relevant actions.

Parent topic: Defining groups and users

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014