Summary of steps for defining users
This summary presents the steps required by RACF® and related IBM® licensed programs to define users to RACF. Your installation might require
additional steps, depending on your security policy and the products
you have installed.
- Prepare to create the user profile as follows:
- Decide which default connect group to assign to the user. If a group profile does not yet exist for the group, create the group using the procedure described in Summary of steps for defining a RACF group.
- Decide which user ID to assign to the user.
- Decide which user or group is to be the owner of the user profile. (If the owner is a user, give him or her the information needed to manage the new profile.)
- Decide if the user should be allowed to use a password to access the system and if so, choose the user's initial password. Specify a non-trivial value.
- Decide if the user should be allowed to use a password phrase to access the system and if so, choose the user's initial password phrase.
- Determine if the user's access to the system should be limited to certain days of the week, hours of the day, or both.
- Decide which user attributes (such as SPECIAL or AUDITOR) the user should have, and whether the user attributes should be limited to the scope of a group (group-SPECIAL or group-AUDITOR).
- If security labels are used, decide which security label to assign to the user.
- Decide whether the user can establish user ID associations to enable password synchronization and command direction between user IDs. See The RACF remote sharing facility (RRSF) for more information.
- If DFSMSdss is
in use, work with the storage administrator to do the following:
- Determine the initial values in the user's DFP segment.
- Determine which DFP resources the user should have access to.
- Determine which primary and secondary languages the user should have (if they should be different from the installation defaults set by the SETROPTS command).
- If you want to authorize the user to establish an extended MCS console session, work with the system operations planner to determine the initial values in the user's OPERPARM segment. For more information, see The OPERPARM segment in user profiles and z/OS MVS Planning: Operations.
- If the user is a CICS® user,
work with the CICS administrator
to do the following:
- Determine the initial values in the user's CICS segment.
- Determine which primary and secondary languages the user should
have (if they should be different from the CICS-specified installation
defaults). Note: CICS does not check the installation defaults set by the SETROPTS command.
- Determine the CICS resources to which the user should have access.
- For more specific CICS and RACF security information, visit CICS Transaction Server for z/OS.
- Work with the APPC administrator to do the following:
- Determine the initial values in the user's WORKATTR segment.
- Determine which APPC/MVS resources the user should have access to.
- Create the user profile. You can use any of the following methods:
- Issuing the ADDUSER command.
- Enrolling the user through the TSO/E Information Center Facility (ICF) panels.
For more information about administering the Information Center Facility, see z/OS TSO/E Administration.
Here is an example of using the ADDUSER command to create a user profile. Suppose you want to create a user profile for user Steve H., a member of Department A. You want to assign the following values:- STEVEH for the user ID
- DEPTA for the default connect group
- DEPTA for the owner of the STEVEH user profile
- R3I5VQX for the initial password
- Steve H. for the user's name
Steve H. does not require any of the user profile segments except TSO. The TSO segment values that you want to set to start with are 123456 for the account number and PROC01 for the logon procedure.
To create a user profile with these values, enter:ADDUSER STEVEH DFLTGRP(DEPTA) OWNER(DEPTA) NAME('Steve H.') PASSWORD(R315VQX) TSO(ACCTNUM(123456) PROC(PROC01))
- Create a top generic profile for the user in the DATASET
class using the ADDSD command.For example, if the user's user ID is STEVEH, enter:
ADDSD 'STEVEH.**' UACC(NONE)
- If users at your installation manage their own resource profiles, give them the information they need. For example, they might need to use portions of z/OS Security Server RACF Command Language Reference.
- If the user is to define general resource profiles, (as, for example,
an administrator might), give the user the CLAUTH attribute in the
appropriate classes and the information needed for working with those
profiles, for example, the JESSPOOL class. Note: If the SETROPTS GENERICOWNER option is in effect, you must create a top profile for the user in the JESSPOOL class, make the user the owner of the profile, and give the user CLAUTH(JESSPOOL). For more information, see Letting users create their own JESSPOOL profiles and Defining profiles for SYSIN and SYSOUT data sets.
- If needed, give the user access to RACF-protected resources. This
can be done using one or both of the following:
- Connect the user to groups that have the same access requirements
as this user, using the CONNECT command. For example, to allow user STEVEH to have access to his department's resources (that is, to resources belonging to group DEPTA), enter:
CONNECT STEVEH GROUP(DEPTA) OWNER(DEPTA)
By default, the command gives USE authority to STEVEH.
- If the user requires specific access to RACF-protected resources
(beyond that permitted by connecting the user to groups), give the
user the access required, using the PERMIT command. Consider the following:
- If the user is a TSO user, remember the necessary TSO resources (such as TSOPROC).
- If data sets are managed by SMS, remember the MGMTCLAS and STORCLAS classes.
For example, to give user STEVEH permission to use a customized TSO logon procedure called CUSTPROC (whose profile in the TSOPROC general resource class has already been defined with a universal access of NONE), enter:PERMIT CUSTPROC CLASS(TSOPROC) ID(STEVEH) ACCESS(READ)
- Connect the user to groups that have the same access requirements
as this user, using the CONNECT command.