Security for z/OS UNIX

The security administrator needs to prepare RACF® to provide security and to define users to RACF. For a user to be a z/OS® UNIX® user, the user's default group must be a z/OS UNIX group.

z/OS UNIX provides security mechanisms that work with the security offered by the z/OS system. A security product is required, either RACF or an equivalent security product. If you do not have a security product, you must write SAF exits to simulate all of the functions.

The z/OS UNIX security functions provided by RACF include user validation, file access checking, privileged user checking, and user limit checking. z/OS UNIX users are defined with RACF commands. When a job starts or a user logs on, the user ID and password are verified by RACF. When an address space requests an z/OS UNIX function for the first time, RACF:

Verifies that the user is defined as a z/OS UNIX user.
Verifies that the user's current connect group is defined as a z/OS UNIX group.
Initializes the control blocks needed for subsequent security checks.

To establish data and system security for z/OS UNIX resources, the security administrator and security auditor might need to work together to accomplish the following:

Managing group identifiers and user identifiers (GIDs and UIDs)
Allowing all z/OS UNIX users to transfer file ownership to any UID or GID on the system
Giving superuser authority to users
Changing superusers from UID(0) to a unique nonzero UID
Defining RACF groups to z/OS UNIX groups
Setting up the FILE.GROUPOWNER.SETGID profile
Setting up sanction list processing
Maintaining the security level of the system.

The security administrator needs to prepare RACF to provide security and to define users to RACF. For a user to be a z/OS UNIX user, the user's default group must be a z/OS UNIX group.