If the BPX.DAEMON resource in the FACILITY class is defined, your system has z/OS® UNIX security. Your system can exercise more control over your superusers.
This level of security is for customers with stricter security requirements who need to have some superusers maintaining the file system but want to have greater control over the z/OS resources that these users can access. Although BPX.DAEMON provides some additional control over the capabilities of a superuser, a superuser should still be regarded as a privileged user because of the full range of privileges the superuser is granted.
- The caller's user identity was permitted to BPX.DAEMON.
- All programs running in the address space have been loaded from
a library that is controlled by a security product. A library that
is identified to RACF® program
control is an example. You can identify individual files as controlled
programs. For more information, Customizing the system for IBM-supplied daemons.
Programs that were loaded from MVS™ libraries do not need to be controlled programs if BPX.DAEMON.HFSCTL has been set up. Only UNIX files are checked for program control. For information about setting up BPX.DAEMON.HFSCTL, see Checking UNIX files for program control.
Kernel services that change a caller's z/OS user identity require the target z/OS user identity to have an OMVS segment defined. If you want to maintain this extra level of control at your installation, you must choose which daemons to permit to BPX.DAEMON. You will also have to choose the users to whom you give the OMVS security profile segments. To accomplish this, see Steps for preparing the security program for daemons.
The RACF WARN mode is not supported for BPX.DAEMON.