By default, RACF® does not
prevent the sharing of UIDs and GIDs among any number of users or
groups. However, you can enforce unique UNIX identifiers
by defining a profile called SHARED.IDS in the UNIXPRIV class.
Rules:
- You must define the SHARED.IDS profile to enable each method of
automatic assignment of unique UNIX identities.
(See Automatically assigning unique IDs using RACF commands and Automatically assigning unique IDs through UNIX services.)
- To control uniqueness for automatic assignment of unique IDs using RACF commands, the RACF database must be at least
at stage 2 of application identity mapping (AIM).
To control uniqueness
for automatic assignment of unique IDs by UNIX services, the RACF database must be at AIM stage 3.
If
you attempt to assign a UID or GID while the SHARED.IDS profile is
defined but the RACF database
is not at least at AIM stage 2, the command fails and message IRR52176I
is issued.
For details about using the IRRIRA00 utility to advance
the RACF database to AIM stage
2 or stage 3, see z/OS Security Server RACF System Programmer's Guide
- RACF can enforce uniqueness
of the UIDs and GIDs assigned using RACF TSO
commands, RACF ISPF panels,
or the R_admin callable service (IRRSEQ00). RACF also assigns unique IDs through
the following SAF callable services when FACILITY class profile BPX.UNIQUE.USER
is defined.
- getUMAP (IRRSUM00)
- getGMAP (IRRSGM00)
- initUSP (IRRSIU00)
RACF does not enforce
uniqueness of UIDs and GIDs assigned by installation programs that
invoke the ICHEINTY or RACROUTE macros.
- The maximum number of user IDs that can share a UID (or groups
that share a GID) is 129 assuming a length of 8 characters for each.
More user IDs or groups can share if the average length is less than
8 characters each. Once this limit is reached, you might consider
combining user ID functions, such as those of started tasks or daemons,
to reduce the number of user IDs sharing the same UID. Another option
is to administer UNIXPRIV profiles that grant superuser authorities
to reduce your need to share UID 0. For more information, see Using UNIXPRIV class profiles to manage z/OS UNIX privileges.