z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Sharing IDs

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

By default, RACF® does not prevent the sharing of UIDs and GIDs among any number of users or groups. However, you can enforce unique UNIX identifiers by defining a profile called SHARED.IDS in the UNIXPRIV class.

Rules:
  1. You must define the SHARED.IDS profile to enable each method of automatic assignment of unique UNIX identities. (See Automatically assigning unique IDs using RACF commands and Automatically assigning unique IDs through UNIX services.)
  2. To control uniqueness for automatic assignment of unique IDs using RACF commands, the RACF database must be at least at stage 2 of application identity mapping (AIM).

    To control uniqueness for automatic assignment of unique IDs by UNIX services, the RACF database must be at AIM stage 3.

    If you attempt to assign a UID or GID while the SHARED.IDS profile is defined but the RACF database is not at least at AIM stage 2, the command fails and message IRR52176I is issued.

    For details about using the IRRIRA00 utility to advance the RACF database to AIM stage 2 or stage 3, see z/OS Security Server RACF System Programmer's Guide

  3. RACF can enforce uniqueness of the UIDs and GIDs assigned using RACF TSO commands, RACF ISPF panels, or the R_admin callable service (IRRSEQ00). RACF also assigns unique IDs through the following SAF callable services when FACILITY class profile BPX.UNIQUE.USER is defined.
    • getUMAP (IRRSUM00)
    • getGMAP (IRRSGM00)
    • initUSP (IRRSIU00)

    RACF does not enforce uniqueness of UIDs and GIDs assigned by installation programs that invoke the ICHEINTY or RACROUTE macros.

  4. The maximum number of user IDs that can share a UID (or groups that share a GID) is 129 assuming a length of 8 characters for each. More user IDs or groups can share if the average length is less than 8 characters each. Once this limit is reached, you might consider combining user ID functions, such as those of started tasks or daemons, to reduce the number of user IDs sharing the same UID. Another option is to administer UNIXPRIV profiles that grant superuser authorities to reduce your need to share UID 0. For more information, see Using UNIXPRIV class profiles to manage z/OS UNIX privileges.
Parent topic: Controlling the use of shared UNIX identities

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014