Steps for automatically assigning unique IDs through UNIX services

Before you begin: Ensure that your plan to maintain UNIX access control lists (ACLs) and GID memberships includes the new unique UIDs and GIDs generated by this method.

Perform the following steps to enable RACF® to automatically assign unique UIDs and GIDs for users who use z/OS® UNIX services:
  1. See your system programmer to ensure that your RACF database is enabled for AIM stage 3.

    For details about using the IRRIRA00 utility to advance the RACF database to AIM stage 3, see z/OS Security Server RACF System Programmer's Guide.

    ______________________________________________________________________

  2. Define the SHARED.IDS profile, if not already defined, in the UNIXPRIV class and activate and RACLIST the UNIXPRIV class. For instructions, see Defining the SHARED.IDS profile in the UNIXPRIV class.

    ______________________________________________________________________

  3. Define the BPX.NEXT.USER profile in the FACILITY class, if not already defined. For instructions, see Setting up the BPX.NEXT.USER profile.

    ______________________________________________________________________

  4. (Optional) Define a user profile to use as a model profile from which RACF can extract OMVS segment information. (You will specify the name of this profile in the APPLDATA field of the BPX.UNIQUE.USER profile in the FACILITY class in Step 5.)
    Guidelines:
    • Define the model profile to ensure that users who are automatically assigned unique UIDs are assigned adequate OMVS information to enable them to use UNIX services.
    • Omit UID for this profile. No UID is required for its intended purpose.
    • Use this user profile only as the model profile for the BPX.UNIQUE.USER profile. Do not use the user ID for any other purpose.
      • Limit the use of this user ID by assigning the RESTRICTED and NOPASSWORD attributes.
      • Grant no access authority to the user ID. Do not add the user ID to RACF access lists or connect it to RACF groups that might grant resource access.
    • You can specify the string &RACUID in the HOME directory path name to have RACF substitute the user ID in the path name when the OMVS segment is created. If you specify &RACUID in uppercase, RACF substitutes the user ID in uppercase. If you specify any character in the string &RACUID in lowercase, RACF substitutes the user ID in lowercase.
      • Only the first occurrence of the string is substituted.
      • If you are sharing the RACF database with a release of z/OS earlier than V2R1 that does not have APAR OA42554 installed and that uses BPX.UNIQUE.USER to assign OMVS segments, the &RACUID string is not replaced when an OMVS segment is created on that system.
      • If the substitution would result in a home directory path name that exceeds the maximum length of 1023 characters, substitution does not occur.
    Example: The following command defines a model profile that contains a HOME value in the OMVS segment.
    ADDUSER BPXMODEL NAME('OMVS model user profile')
   OMVS(HOME('/tmp') PROGRAM('/bin/sh'))
   NOPASSWORD RESTRICTED
    Example: The following command defines a model profile that substitutes the user ID in lowercase in the HOME value.
    ADDUSER BPXMODEL NAME('OMVS model user profile')
   OMVS(HOME('/u/&racuid') PROGRAM('/bin/sh'))
   NOPASSWORD RESTRICTED
    If the user TANIA has an OMVS segment created as a result of BPX.UNIQUE.USER processing, the value assigned to the HOME operand is /u/tania.

    ______________________________________________________________________

  5. Define the BPX.UNIQUE.USER profile in the FACILITY class and specify the name of the model profile in the APPLDATA field.
    Example:
    RDEFINE FACILITY BPX.UNIQUE.USER APPLDATA('BPXMODEL')

    Rule: Specify no generic characters in the BPX.UNIQUE.USER profile name.

    If you do not want to propagate any OMVS information from a model profile, do not specify APPLDATA.

    Example:
    RDEFINE FACILITY BPX.UNIQUE.USER

    ______________________________________________________________________

  6. If the FACILITY class is RACLISTed, activate your new FACILITY profiles by refreshing the FACILITY class.
    Example:
    SETROPTS RACLIST(FACILITY) REFRESH
    You need not activate and RACLIST the FACILITY class to enable automatic assignment of unique IDs. However, if the FACILITY class is already RACLISTed, you must refresh the class.

    ______________________________________________________________________

You have now enabled RACF to automatically assign unique IDs for users without OMVS segments when they use z/OS UNIX services. All users are now able to access z/OS UNIX services because they are automatically assigned a UID when they attempt to access a z/OS UNIX service for the first time.

If you want to prevent certain users from being able to access z/OS UNIX services, define an OMVS segment with no UID for those users. This prevents their user IDs from being automatically assigned a UID. When they attempt to use a z/OS UNIX service, the dub will fail, and a daemon will be unable to switch to these user IDs.

Example:
ALTUSER TSOADM1 OMVS(NOUID)