z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Understanding default user IDs

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

RACF® assigns a default user ID to all work that enters your node when:
  • SYSOUT enters from one of the following:
    • A downlevel node
    • A default node

    For more information, see Understanding mixed security environments.

  • SYSOUT or a job enters your node, but your node is an intermediate (store-and-forward) node on the path to the work's final destination. The default user ID protects work while it resides on spool awaiting transmission.
  • SYSOUT enters your node when the NODES class is active and no applicable USERS profile exists.

RACF uses eight question marks (????????) as the user ID for all inbound work meeting the above criteria. RACF also assigns the default user ID to all store-and-forward work that resides temporarily at your node. The default user ID protects work while it resides on spool.

You cannot directly permit the default user ID (???????? or installation-defined) to any resources. However, you can translate the default user ID to a valid user ID if you want to process any of this type of work at your system.

You can change the ???????? user ID by using the NJEUSERID operand on the SETROPTS command: 
SETROPTS JES(NJEUSERID(?NETWORK))

The user ID you specify on the NJEUSERID operand cannot be a user ID defined in the RACF database. Also, if you specify a user ID on the NJEUSERID operand, you cannot later define a user profile for that user ID. This prevents network jobs from having access to RACF-protected resources on your system.

The following example shows how to do this for jobs: 
RDEFINE NODES nodename.USERJ.???????? UACC(READ or higher) ADDMEM(NJEJOBS)
The following example shows how to do this for SYSOUT: 
RDEFINE NODES nodename.USERS.???????? UACC(UPDATE or higher) ADDMEM(NJESOUT)
The following example shows how to do this for both SYSOUT and jobs: 
RDEFINE NODES nodename.USER%.???????? UACC(READ or higher) ADDMEM(NJEWORK)
Note: This example assumes that a SETROPTS GENERIC(NODES) was previously issued to turn generics on for this class and that a SETROPTS REFRESH was then done.

You would also need to create user profiles for the translated user IDs (NJEJOBS, NJESOUT, or NJEWORK), and permit the user IDs to appropriate resource profiles (or connect them to appropriate groups).

Local jobs that enter the system without a user ID are assigned a user ID of ++++++++ (8 plus signs). You can specify which user ID to assign to such jobs by entering the following command: 
SETROPTS JES(UNDEFINEDUSER(userid))
Note: The user ID you specify on the UNDEFINEDUSER operand cannot be a user ID defined in the RACF database. Also, if you specify a user ID on the UNDEFINEDUSER operand, you cannot later define a user profile for that user ID. This prevents undefined users from having access to RACF-protected resources on your system.

However, these user IDs can be used in JESSPOOL profile names. JES uses these names to associate an owner with the spool data, and to keep logical undefined users from accessing the data of network undefined users.

Parent topic: Authorizing inbound work

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014