Steps for defining z/OS UNIX users to RACF

About this task

This task explains the steps for defining z/OS® UNIX to RACF

Before you begin: You need to log on the user ID with RACF® SPECIAL authority.

Perform the following steps to define z/OS UNIX users to RACF.

Procedure

Authorize a user to z/OS UNIX by entering:
- A RACF ADDUSER command for each new user to be given access to z/OS UNIX resources. The ADDUSER command creates a RACF user profile.
- A RACF ALTUSER command for each current user who is to be given access to z/OS UNIX resources. The ALTUSER command changes a current RACF user profile.
To provide access to z/OS UNIX resources, both ADDUSER and ALTUSER have an OMVS parameter. The UID subparameter specifies the UID, while the AUTOUID subparameter specifies that RACF is to assign an unused UID value.

_______________________________________________________________
Assign a home directory for each user through the HOME subparameter on the ADDUSER or ALTUSER command.
Example: If the home directory is /u/john, specify:
```
HOME('/u/john')
```
The home directory should be fully qualified ('/u/john'). If a home directory is partially specified (for example, john) problems might during process initialization. Then create that home directory for each user. The home directory, like all file names, is case-sensitive. It is recommended that the user name in the home directory be entered in lowercase.

Alternatively, you can use the ISPF shell to define a home directory for each user.
Example: If the home directory is the root, specify:
```
HOME('/')
```
In similar open systems, the directory used for users is /u and the name of the user's home directory is the username associated with the user. In a z/OS system, the user name is the user ID:
- If a user accesses the shell from TSO/E, the user ID is folded to uppercase
- With rlogin, the user ID is case-sensitive. If the alias table (USERIDALIASTABLE) is not set up, then case does not matter and the user ID is folded. If the alias table is being used and the user ID is found in it, then the case-sensitive user ID for UNIX activity is used.
_______________________________________________________________
Specify an initial program for each user through the PROGRAM subparameter of the ADDUSER or ALTUSER command.
```
PROGRAM('/bin/sh')
```
Alternatively, you can use the ISPF shell to specify an initial program for each user.

The system gives control to the user program when the user logs in or invokes the OMVS command. The PROGRAM value is also used for the rlogin, otelnetd, su, and newgrp commands, where a shell is to be created.

_______________________________________________________________
Do one of the following tasks to connect a user to an already-defined RACF group. The RACF group must have an OMVS GID for the user to access z/OS UNIX resources.
- Specify the RACF group on the DFLTGRP parameter on the RACF ADDUSER command. The specified group becomes the user's default group.
  If you do not specify a RACF group on the RACF ADDUSER command, your current group becomes the user's default group
- Enter a RACF CONNECT command to connect a user to the RACF group. Specify the DFLTGP parameter on the RACF ALTUSER command to change the user's default group to the RACF group with an OMVS GID.
  To use z/OS UNIX resources, the default group of the user must have a GID defined.
_______________________________________________________________
z/OS UNIX performs SYSOUT tailoring for every forked address space. When defining the users, code the WORKATTR parameter to specify the user's name and address. The name and address appear on the user's SYSOUT output.
_______________________________________________________________

Results

When you are done, you have defined z/OS UNIX users to RACF.

In similar open systems, the /etc/passwd file contains definitions for the HOME, SHELL, and LOGNAME environment variables. z/OS UNIX provides better security by keeping these values in the RACF user profile.

Example: The following example shows an ADDUSER command to create a new user ID, JOHN, with authority to use z/OS UNIX.

ADDUSER JOHN DFLTGRP(ENGNGP7) NAME('JOHN DOE') PASSWORD(A4B3C2D1)
        OMVS(UID(314) HOME('/u/john') PROGRAM('/bin/sh'))
        TSO(ACCTNUM(12345678) DEST(P382005) PROC(PROC01) SYSOUTCLASS(A))
        WORKATTR(WANAME('JOHN DOE') WAACCNT(12345678)
        WABLDG(507_PARK_PLACE) WAROOM(124)
        WADEPT(ENGNG555) WAADDR1(WIDGET_INC) WAADDR2(NEW_YORK)
        WAADDR3(NEW_YORK) WAADDR4(10002))

The DFLTGRP parameter places user ID JOHN in the RACF group ENGNGP7, which has a GID of 678. The OMVS parameter on the ADDUSER command does the following:

Gives JOHN an UID of 314.
Invokes the shell in the file /bin/sh when John Doe enters a TSO/E OMVS command.
Gives JOHN a home directory of /u/john. The home directory needs to be added to the file system.
On an open system, a working directory is normally defined in lowercase letters and typically has the user's user ID as its name—for example, /u/john. If a REXX exec or CLIST extracts the user ID with a &userid variable, the value returned is in uppercase: JOHN. If the REXX exec or CLIST appends the returned value to /u, the result is /u/JOHN. /u/john and /u/JOHN are two different directories. You should consider this behavior in using REXX execs, CLISTs, C programs, or programs using the callable services where the functions return user IDs.
Specifying the WORKATTR for user ID JOHN allows daemons to create processes with the correct accounting and SYSOUT defaults. For example, if JOHN logs into the system using a rlogin command from a workstation, a new process will be created for JOHN using the attributes from the WORKATTR.