Before you can do the ServerPac or CBPDO installation, or install
maintenance, you need to satisfy certain security requirements.
- The user ID must be UID=0 or permitted to the BPX.SUPERUSER resource
in the FACILITY class, and be connected to a group that has a GID.
- The user ID must be permitted READ access to the BPX.FILEATTR.SHARELIB,
BPX.FILEATTR.APF and BPX.FILEATTR.PROGCTL resources in the FACILITY
class (or BPX.FILEATTR.* if you choose to use a generic name for both
resources). These commands are also provided in SYS1.SAMPLIB(BPXISEC1).
To
define
BPX.FILEATTR.SHARELIB, BPX.FILEATTR.APF
and BPX.FILEATTR.PROGCTL, issue:
RDEFINE FACILITY BPX.FILEATTR.SHARELIB UACC(NONE)
RDEFINE FACILITY BPX.FILEATTR.APF UACC(NONE)
RDEFINE FACILITY BPX.FILEATTR.PROGCTL UACC(NONE)
SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY)
These commands are also provided
in SYS1.SAMPLIB.
PERMIT BPX.FILEATTR.SHARELIB CLASS(FACILITY) ID(your_userid) ACCESS(READ)
PERMIT BPX.FILEATTR.APF CLASS(FACILITY) ID(your_userid) ACCESS(READ)
PERMIT BPX.FILEATTR.PROGCTL CLASS(FACILITY) ID(your_userid) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
Or, if you choose
to use a generic facility:
SETROPTS GENERIC(FACILITY)
RDEFINE FACILITY BPX.FILEATTR.* UACC(NONE)
SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY)
PERMIT BPX.FILEATTR.* CLASS(FACILITY) ID(your_userid) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
- Define the following user ID and group IDs in your security data
base. Even though they are lowercase in the example, these names should
be defined in uppercase for ease of use and manageability.
Note these rules:
- The GID and UID values assigned to these IDs cannot be used by
any other IDs. They must be unique. If you assign the same GID to
multiple groups, control at an individual group level is lost, because
the GID is used in z/OS UNIX security
checks. Because RACF® groups
that have the same GID assignment are treated as a single group during
the z/OS UNIX security
checks, the sharing of resources between groups might happen unintentionally.
Likewise, the sharing of UIDs allows each user access to all of the
resources associated with the other users of that shared UID. The
shared access includes not only z/OS UNIX resources
such as files, but also includes the possibility that one user could
access UNIX resources of the
other user that are normally considered to be outside the scope of z/OS UNIX.
- You must duplicate the required user ID and group names in each
security database, including the same UID and GID values in the OMVS
segment. Duplicating the IDs simplifies the process of transporting
the HFS data sets from test systems to production systems. For example,
the group name TTY on System 1 must have the same GID value
on System 2 and System 3. If you cannot synchronize your databases,
you will need to continue running the FOMISCHO job against each system
after z/OS UNIX is
installed.
The following topics describe how to define these IDs to RACF. (If you are using an equivalent
security product, refer to that product's documentation.) All the RACF commands are issued by a user
ID with RACF SPECIAL authority.
Three procedures are described: