|
About this taskThis task explains the steps for defining z/OS® UNIX to
RACF Before you begin: You need to log on the user ID with RACF® SPECIAL authority.
Perform
the following steps to define z/OS UNIX users to RACF.
Procedure- Authorize a user to z/OS UNIX by entering:
- A RACF ADDUSER command
for each new user to be given access to z/OS UNIX resources.
The ADDUSER command creates a RACF user
profile.
- A RACF ALTUSER command
for each current user who is to be given access to z/OS UNIX resources.
The ALTUSER command changes a current RACF user
profile.
To provide access to z/OS UNIX resources,
both ADDUSER and ALTUSER have an OMVS parameter. The UID subparameter
specifies the UID, while the AUTOUID subparameter specifies that RACF is to assign an unused UID
value.
_______________________________________________________________
- Assign a home directory for each user through the HOME
subparameter on the ADDUSER or ALTUSER command.
Example: If
the home directory is /u/john, specify: HOME('/u/john')
The
home directory should be fully qualified ('/u/john'). If a
home directory is partially specified (for example, john) problems
might during process initialization. Then create that home directory
for each user. The home directory, like all file names, is case-sensitive.
It is recommended that the user name in the home directory be entered
in lowercase.
Alternatively, you can use the ISPF shell to define
a home directory for each user.
Example: If the home
directory is the root, specify: HOME('/')
In
similar open systems, the directory used for users is /u and
the name of the user's home directory is the username associated with
the user. In a z/OS system,
the user name is the user ID: - If a user accesses the shell from TSO/E, the user ID is folded
to uppercase
- With rlogin, the user ID is case-sensitive. If the alias table
(USERIDALIASTABLE) is not set up, then case does not matter and the
user ID is folded. If the alias table is being used and the user
ID is found in it, then the case-sensitive user ID for UNIX activity is used.
_______________________________________________________________
- Specify an initial program for each user through the PROGRAM
subparameter of the ADDUSER or ALTUSER command.
PROGRAM('/bin/sh')
Alternatively,
you can use the ISPF shell to specify an initial program for each
user.
The system gives control to the user program when the
user logs in or invokes the OMVS command. The PROGRAM value is also
used for the rlogin, otelnetd, su,
and newgrp commands, where a shell is to be created.
_______________________________________________________________
- Do one of the following tasks to connect a user to an already-defined RACF group. The RACF group must have an OMVS GID for the user
to access z/OS UNIX resources.
- Specify the RACF group
on the DFLTGRP parameter on the RACF ADDUSER
command. The specified group becomes the user's default group.
If
you do not specify a RACF group
on the RACF ADDUSER command,
your current group becomes the user's default group
- Enter a RACF CONNECT
command to connect a user to the RACF group.
Specify the DFLTGP parameter on the RACF ALTUSER
command to change the user's default group to the RACF group with an OMVS GID.
To
use z/OS UNIX resources,
the default group of the user must have a GID defined.
_______________________________________________________________
- z/OS UNIX performs
SYSOUT tailoring for every forked address space. When defining the
users, code the WORKATTR parameter to specify the user's name and
address. The name and address appear on the user's SYSOUT output.
_______________________________________________________________
ResultsWhen you are done, you have defined z/OS UNIX users
to RACF.
In similar open
systems, the /etc/passwd file contains definitions for the
HOME, SHELL, and LOGNAME environment variables. z/OS UNIX provides
better security by keeping these values in the RACF user profile.
Example: The
following example shows an ADDUSER command to create a new user ID,
JOHN, with authority to use z/OS UNIX. ADDUSER JOHN DFLTGRP(ENGNGP7) NAME('JOHN DOE') PASSWORD(A4B3C2D1)
OMVS(UID(314) HOME('/u/john') PROGRAM('/bin/sh'))
TSO(ACCTNUM(12345678) DEST(P382005) PROC(PROC01) SYSOUTCLASS(A))
WORKATTR(WANAME('JOHN DOE') WAACCNT(12345678)
WABLDG(507_PARK_PLACE) WAROOM(124)
WADEPT(ENGNG555) WAADDR1(WIDGET_INC) WAADDR2(NEW_YORK)
WAADDR3(NEW_YORK) WAADDR4(10002))
The DFLTGRP
parameter places user ID JOHN in the RACF group
ENGNGP7, which has a GID of 678. The OMVS parameter on
the ADDUSER command does the following: - Gives JOHN an UID of 314.
- Invokes the shell in the file /bin/sh when John Doe enters
a TSO/E OMVS command.
- Gives JOHN a home directory of /u/john. The home directory
needs to be added to the file system.
On an open system, a working
directory is normally defined in lowercase letters and typically has
the user's user ID as its name—for example, /u/john. If a REXX exec or CLIST
extracts the user ID with a &userid variable,
the value returned is in uppercase: JOHN. If the REXX exec or CLIST appends the returned
value to /u, the result is /u/JOHN. /u/john and /u/JOHN are
two different directories. You should consider this behavior in using REXX execs, CLISTs,
C programs, or programs using the callable services where the functions
return user IDs.
- Specifying the WORKATTR for user ID JOHN allows daemons to create
processes with the correct accounting and SYSOUT defaults. For example,
if JOHN logs into the system using a rlogin command from a workstation,
a new process will be created for JOHN using the attributes from the
WORKATTR.
|