|
Purpose Use the ADDUSER command to define
a new user to RACF® and establish
the user's relationship to an existing RACF-defined group.
The
command adds a profile for the new user to the RACF database and creates a connect profile
that connects the user to whichever default group you specify.
The
user profile consists of a RACF segment
and, optionally, other segments such as a TSO segment, a DFP segment,
or an OMVS segment. You can use this command to define information
in any segment of the user's profile.
Although user ID association
information is in the user's profile, you must use the RACLINK command
to define a user ID association.
Attention: - When the ADDUSER command is issued from ISPF, the TSO command
buffer (including password and password phrase data) is written to
the ISPLOG data set. As a result, you should not issue this command
from ISPF or you must control the ISPLOG data set carefully.
- If the ADDUSER command is issued as a RACF operator command, the command and all data
(including password and password phrase data) is written to the system
log. You should not issue the ADDUSER command as an operator command
unless specifying NOPASSWORD. For all other cases you should execute
it as a TSO command.
This command is not intended to be used for profiles
in the DIGTCERT or DIGTNMAP classes.
Issuing options The following table identifies
the eligible options for issuing the ADDUSER command:
As a RACF TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
Yes |
Yes |
Yes |
Yes |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
You
must be logged on to the console to issue this command as a RACF operator command.
Authorization required When issuing this command as a RACF operator command, you might
require sufficient authority to the proper resource in the OPERCMDS
class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
To
use the ADDUSER command, you must have one of the following: - The SPECIAL attribute
- The CLAUTH attribute for the USER class while one of the following
is true:
- You are the owner of the default group specified in this command.
- You have JOIN authority in the default group specified in this
command.
- The default group is within the scope of a group in which you
have the group-SPECIAL attribute.
You must have the SPECIAL attribute to give the new user
the OPERATIONS, SPECIAL, or AUDITOR attribute. You need not have
the SPECIAL attribute to specify the OWNER operand.
You cannot
assign a user an attribute or authority higher than your own.
To
assign a security category to a profile, you must have the SPECIAL
attribute, or the category must be in your user profile.
To
assign a security level to a profile, you must have the SPECIAL attribute
or, in your own profile, a security level that is equal to or greater
than the security level you are assigning.
To define information
within a segment other than the base segment, you must have one of
the following: - The SPECIAL attribute
- At least UPDATE authority to the desired field within the segment
through field-level access control.
For information on field-level access checking, see z/OS Security Server RACF Security Administrator's Guide.
To
specify the AT keyword, you must have READ authority to the DIRECT.node resource
in the RRSFDATA class and a user ID association must be established
between the specified node.userid pair(s).
To
specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified
on the ONLYAT keyword must have the SPECIAL attribute, and a user
ID association must be established between the specified node.userid pair(s)
if the user IDs are not identical.
To specify the SHARED keyword,
you must have the SPECIAL attribute or at least READ authority to
the SHARED.IDS resource in the UNIXPRIV class.
Syntax For the key to the symbols used in the command
syntax diagrams, see Syntax of RACF commands and operands. The
complete syntax of the ADDUSER command is:
|
|
---|
[subsystem-prefix]{ADDUSER
| AU} |
|
(userid …) |
|
[ ADDCATEGORY(category-name
…) ] |
|
[ ADSP | NOADSP ] |
|
[ AT([node].userid
…) | ONLYAT([node].userid
…) ] |
|
[ AUDITOR | NOAUDITOR ] |
|
[ AUTHORITY(group-authority)
] |
|
[ CICS(
[ OPCLASS(operator-class …) ]
[ OPIDENT(operator-id) ]
[ OPPRTY(operator-priority) ]
[ RSLKEY(rslkey … | 0 | 99 ) ]
[ TIMEOUT(timeout-value) ]
[ TSLKEY(tslkey … | 0 | 1 | 99 ) ]
[ XRFSOFF( FORCE | NOFORCE ) ]
) ]
|
|
[ CLAUTH(class-name …)
| NOCLAUTH ] |
|
[ CSDATA(
[ custom-field-name(custom-field-value) ] …
) ]
|
|
[ DATA('installation-defined-data')
] |
|
[ DCE(
[ AUTOLOGIN(YES | NO) ]
[ DCENAME(user-principal-name) ]
[ HOMECELL(dce-cell-name) ]
[ HOMEUUID(home-cell-UUID) ]
[ UUID(universal-unique-identifier) ] ]
) ]
|
|
[ DFLTGRP(group-name)
] |
|
[ DFP(
[ DATAAPPL(application-name) ]
[ DATACLAS(data-class-name) ]
[ MGMTCLAS(management-class-name) ]
[ STORCLAS(storage-class-name) ]
) ]
|
|
[ EIM(
LDAPPROF(ldapbind_profile)
) ]
|
|
[ GRPACC | NOGRPACC ] |
|
[ KERB(
[ ENCRYPT (
[ DES | NODES ]
[ DES3 | NODES3 ]
[ DESD | NODESD ]
[ AES128 | NOAES128 ]
[ AES256 | NOAES256 ]
)]
[ KERBNAME(kerberos-principal-name) ]
[ MAXTKTLFE(max-ticket-life) ]
) ]
|
|
[ LANGUAGE(
[ PRIMARY(language) ]
[ SECONDARY(language) ]
) ]
|
|
[ LNOTES(
[ SNAME(short-name) ]
) ]
|
|
[ MODEL(dsname)
] |
|
[ NAME(user-name)
] |
|
[ NDS(
[ UNAME(user-name) ] ]
) ]
|
|
[ NETVIEW(
[ CONSNAME(console-name) ]
[ CTL(GENERAL | GLOBAL | SPECIFIC) ]
[ DOMAINS(domain-name …) ]
[ IC('command | command-list') ]
[ MSGRECVR(NO | YES ) ]
[ NGMFADMN(NO | YES ) ]
[ NGMFVSPN(view-span) ]
[ OPCLASS(class …) ]
) ]
|
|
[ OIDCARD | NOOIDCARD ] |
|
[ OMVS[(
[ ASSIZEMAX(address-space-size) ]
[ AUTOUID | UID(user-identifier) [SHARED] ]
[ CPUTIMEMAX(cpu-time) ]
[ FILEPROCMAX(files-per-process) ]
[ HOME(initial-directory-name) ]
[ MEMLIMIT(nonshared-memory-size) | NOMEMLIMIT ]
[ MMAPAREAMAX(memory-map-size) ]
[ PROCUSERMAX(processes-per-UID) ]
[ PROGRAM(program-name) ]
[ SHMEMMAX(shared-memory-size) | NOSHMEMMAX ]
[ THREADSMAX(threads-per-process) ]
)] ]
|
|
[ OPERATIONS | NOOPERATIONS ] |
|
[ OPERPARM(
[ ALTGRP(alternate-console-group) ]
[ AUTH(operator-authority) ]
[ AUTO( YES | NO ) ]
[ CMDSYS(system-name) ]
[ DOM( NORMAL | ALL | NONE ) ]
[ HC( YES | NO ) ]
[ INTIDS( YES | NO ) ]
[ KEY(searching-key) ]
[ LEVEL(message-level) ]
[ LOGCMDRESP( SYSTEM | NO ) ]
[ MFORM(message-format) ]
[ MIGID( YES | NO ) ]
[ MONITOR(event) ]
[ MSCOPE( system-names | * | *ALL ) ]
[ ROUTCODE( ALL | NONE | routing-codes ) ]
[ STORAGE(amount) ]
[ UD( YES | NO ) ]
[ UNKNIDS( YES | NO ) ]
) ]
|
|
[ OVM(
[ FSROOT(file-system-root) ]
[ HOME(initial-directory-name) ]
[ PROGRAM(program-name) ]
[ UID(user-identifier) ]
) ]
|
|
[ OWNER(userid or group-name) ] |
|
[ PASSWORD(password)
| NOPASSWORD ] |
|
[ PHRASE('password-phrase') ] |
|
[ PROXY[(
[ LDAPHOST(ldap_url) ]
[ BINDDN(bind_distinguished_name) ]
[ BINDPW(bind_password) ]
)] ]
|
|
[ RESTRICTED | NORESTRICTED ] |
|
[ SECLABEL(seclabel-name) ] |
|
[ SECLEVEL(seclevel-name) ] |
|
[ SPECIAL | NOSPECIAL ] |
|
[ TSO(
[ ACCTNUM(account-number) ]
[ COMMAND(command-issued-at-logon) ]
[ DEST(destination-id) ]
[ HOLDCLASS(hold-class) ]
[ JOBCLASS(job-class) ]
[ MAXSIZE(maximum-region-size) ]
[ MSGCLASS(message-class) ]
[ PROC(logon-procedure-name) ]
[ SECLABEL(security-label) ]
[ SIZE(default-region-size) ]
[ SYS(sysout-class) ]
[ UNIT(unit-name) ]
[ USERDATA(user-data) ]
) ]
|
|
[ UACC(access-authority) ] |
|
[ WHEN(
[ DAYS(day-info) ]
[ TIME(time-info) ]
) ]
|
|
[ WORKATTR(
[ WAACCNT(account-number) ]
[ WAADDR1(address-line-1) ]
[ WAADDR2(address-line-2) ]
[ WAADDR3(address-line-3) ]
[ WAADDR4(address-line-4) ]
[ WABLDG(building) ]
[ WADEPT(department) ]
[ WANAME(name) ]
[ WAROOM(room) ]
) ]
|
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters - subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing
this command as a RACF operator
command. The subsystem prefix is required when issuing RACF operator commands.
- userid
- Specifies
the user to be defined to RACF.
If you are defining more than one user, the list of user IDs must
be enclosed in parentheses.
This operand is required and must
be the first operand following ADDUSER.
Each user ID must be
unique and must not currently exist on the RACF database as a user ID or a group name.
- ADDCATEGORY(category-name
…)
- Specifies
one or more names of installation-defined security categories. The
names you specify must be defined as members of the CATEGORY profile
in a SECDATA class. (For information on defining security categories,
see z/OS Security Server RACF Security Administrator's Guide.)
When
the SECDATA class is active and you specify ADDCATEGORY, RACF performs security category checking in
addition to its other authorization checking. If a user requests access
to a resource, RACF compares
the list of security categories in the user's profile with the list
of security categories in the resource profile. If RACF finds any security category in the resource
profile that is not in the user's profile, RACF denies access to the resource. If the user's
profile contains all the required security categories, RACF continues with other authorization checking.
Note: RACF does not perform security
category checking for a started task or user with the RACF privileged or trusted attribute. The RACF privileged or trusted attribute
can be assigned to a started task through the RACF started procedures table or STARTED class,
or to other users by installation-supplied RACF exits.
- ADSP
| NOADSP
-
- ADSP
- Specifies that all permanent
tape and DASD data sets created by the new user are to be automatically
RACF-protected by discrete profiles. ADSP specified on the ADDUSER
command overrides NOADSP specified on the CONNECT command.
If
SETROPTS NOADSP is in effect, RACF ignores
the ADSP attribute at logon or job initiation.
- NOADSP
- Specifies
that the new user is not to have the ADSP attribute. NOADSP is the
default value if you omit both ADSP and NOADSP.
- AT
| ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid
…)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed to the local node.
- ONLYAT([node].userid
…)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed only to the local node.
- AUDITOR
| NOAUDITOR
-
- AUDITOR
- Specifies that the new
user has full responsibility for auditing the use of system resources,
and is able to control the logging of detected accesses to any RACF-protected
resources during RACF authorization
checking and accesses to the RACF database.
You must have the SPECIAL attribute to enter the AUDITOR operand.
- NOAUDITOR
- Specifies
that the new user does not have the AUDITOR attribute. NOAUDITOR is
the default value if you omit both AUDITOR and NOAUDITOR.
- AUTHORITY(group-authority)
- Specifies
the level of group authority for the new user in the default group.
The valid group authority values are USE, CREATE, CONNECT, and JOIN, as described in Group authorities.
If you omit this operand or specify AUTHORITY without group-authority,
the default value is USE.
This operand is group-related. If a
user is connected to other groups (with the CONNECT command), the
user can have a different group authority in each group.
- CICS®
- Defines CICS operator information for a
new CICS terminal user. You
can control access to an entire CICS segment
or to individual fields within the CICS segment
by using field-level access checking. For more information, see z/OS Security Server RACF Security Administrator's Guide.
- OPCLASS(operator-class …)
- Specifies numbers 1 - 24, defined
as two digits, representing classes assigned to this operator to which
BMS (basic mapping support) messages are to be routed.
- OPIDENT(operator-id)
- Specifies a 1 - 3 character
identification of the operator for use by BMS.
Operator identifiers
can consist of any characters, and can be entered with or without
single quotation marks. The following rules apply: - If parentheses, commas, blanks, or semicolons are to be entered
as part of the operator identifier, the character string must be enclosed
in single quotation marks. For example, if the operator identifier
is (1), you must enter OPIDENT('(1)').
- If a single quotation mark is intended to be part of the character
string, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
If OPIDENT is not specified, the field defaults to blanks
in the RACF user profile, and
blanks appear in the field in the LISTUSER command output.
- OPPRTY(operator-priority)
- Specifies the number from 0 - 255 that
represents the priority of the operator.
If OPPRTY is not specified,
the field defaults to zeros in the RACF user
profile, and zeros appear in the field in the LISTUSER command output.
- RSLKEY(rslkey … | 0 | 99)
- Specifies the resource security level (RSL) keys assigned to the
user. The RSL keys are used by CICS on
distributed platforms. Each CICS resource
has one RSL key assigned to it; in order for a user to access a resource,
the user must have the same RSL key as the RSL key assigned to the
resource.
- RSLKEY(rslkey …) specifies a list of
one or more numbers in the range of 1 through 24 which represent the
resource security level (RSL) keys assigned to the user.
- If RSLKEY(0) is specified, no RSL keys are assigned to the user.
- If RSLKEY(99) is specified, all RSL keys are assigned to the user
(1 - 24,
inclusive).
- Keys 0 and 99 are mutually exclusive and cannot be specified with
any other keys.
- If RSLKEY is specified with no key numbers, RSLKEY(0) is defaulted.
- If RSLKEY is not specified, CICS will
treat it as RSLKEY(0).
- TIMEOUT(timeout-value)
- Specifies
the time, in hours and minutes, that the operator is allowed to be
idle before being signed off. The value for TIMEOUT can be entered
in the form m, mm, hmm, hhmm,
where the value for m or mm must
be 00 - 59,
or 00 - 60
when h or hh is
not specified or is specified as 0 or 00.
The value for h or hh must
be 00 - 99.
TIMEOUT defaults to 0 if omitted, meaning no timeout.
- TSLKEY(tslkey … | 0 | 1 | 99)
- Specifies the transaction security level (TSL) keys assigned to
the user. The TSL keys are used by CICS on
distributed platforms. Each CICS transaction
has one TSL key assigned to it; in order for a user to run a transaction,
the user must have the same TSL key as the TSL key assigned to the
transaction.
- TSLKEY(tslkey …) specifies a list of
one or more numbers in the range of 1 through 64 which represent the
transaction security level (TSL) keys assigned to the user.
- If TSLKEY(0) is specified, no TSL keys are assigned to the user.
- If TSLKEY(99) is specified, all TSL keys are assigned to the user
(1 - 64,
inclusive).
- Keys 0 and 99 are mutually exclusive and cannot be specified with
any other keys.
- If TSLKEY is specified with no key numbers, TSLKEY(1) is defaulted.
- If TSLKEY is not specified, CICS will
treat it as TSLKEY(1).
- XRFSOFF(FORCE | NOFORCE)
- FORCE means that the user is signed off by CICS when an XRF takeover occurs.
- CLAUTH
| NOCLAUTH
-
- CLAUTH(class-name …)
- Specifies
the classes in which the new user is allowed to define profiles to RACF for protection. Classes you
can specify are USER, and any resource classes defined in the class
descriptor table.
To enter the CLAUTH operand, you must have the
SPECIAL attribute or have the CLAUTH attribute for the classes specified.
If you do not have sufficient authority for a specified class, RACF ignores the CLAUTH specification
for that class and continues processing with the next class name specified.
Note: The
CLAUTH attribute has no meaning for the FILE and DIRECTORY classes.
- NOCLAUTH
- Specifies
that the new user is not to have the CLAUTH attribute. NOCLAUTH is
the default if you omit both CLAUTH and NOCLAUTH.
- CSDATA
- Specifies
information to add a custom field for this user.
Usage for each
custom field is defined using the CFDEF operand of the RDEFINE command
for resource profiles in the CFIELD class. Contact your security administrator
to see how custom fields are used at your installation. For more information
about custom fields, see z/OS Security Server RACF Security Administrator's Guide.
- custom-field-name(custom-field-value)
…
- Specifies the name
and value of a custom field for this user. You can add values for
multiple custom fields with a single ADDUSER command.
Rules: - You must use the same custom-field-name as
defined by the CFIELD profile named USER.CSDATA.custom-field-name.
(The CFIELD profile is defined using the CFDEF operand of the RDEFINE
command.)
- You must specify a custom-field-value that
is valid for the attributes of this custom field. (The attributes,
such as data type, are defined in the CFDEF segment of the CFIELD
profile.)
- DATA('installation-defined-data')
- Specifies
up to 255 characters of installation-defined data to be stored in
the user's profile and must be enclosed in single quotation marks.
It can also contain double-byte character set (DBCS) data. Note that
only 254 characters are chained off the ACEE.
Use the LISTUSER
command to list this information.
- DCE
- Adds a DCE segment to the user profile of the specified z/OS DCE user
or Distributed File Service (DFS) Server Message Block (SMB) user. You
can enter any of the following suboperands to specify information
for that user. Each suboperand defines information that RACF stores in a field within the DCE segment
of the user's profile.
You can control access to an entire DCE
segment or to individual fields within the DCE segment by using field
level access checking.
To define information within the DCE
segment, you must have one of the following: - The SPECIAL attribute
- At least UPDATE authority to the desired field within the segment
through field-level access control.
For information on field-level access checking, see z/OS Security Server RACF Security Administrator's Guide.
Note: The
ability to associate a RACF and
DCE identity depends on replicated information between DCE and RACF. Do not change the
user's UUID, principal name, or cell name in either RACF or the DCE registry without a corresponding
update in the other registry.
- AUTOLOGIN(NO |
YES)
- Specifies whether z/OS UNIX DCE is to
log this user into z/OS UNIX DCE automatically.
If AUTOLOGIN(NO) is specified, z/OS UNIX DCE does not attempt
to login this user to z/OS UNIX DCE automatically.
If AUTOLOGIN is not specified, AUTOLOGIN(NO) is the default.
- DCENAME(user-principal-name)
- Specifies the DCE principal name defined for this RACF user in the DCE registry.
The DCENAME
you define to RACF can contain
1 - 1023
characters and can consist of any character. You can enter the name
with or without single quotation marks, depending on the following:
- If parentheses, commas, blanks, or semicolons are entered as part
of the name, the character string must be enclosed in single quotation
marks.
- If a single quotation mark is intended to be part of the name,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. RACF does not ensure that a valid DCENAME has
been specified.
The DCENAME assigned to a user must be the
same as the DCE principal name defined to the DCE registry.
If
DCENAME is not specified, the user cannot login as a z/OS UNIX DCE user
automatically, even when AUTOLOGIN(YES) is specified.
Note: RACF does not enforce the uniqueness
of each DCENAME. The DCENAME specified must match the user's DCE principal
name that is defined to the DCE registry. If the DCENAME entered does
not correspond to the DCE principal name entered in the DCE registry
for this user, z/OS UNIX DCE cannot
correctly associate the identity of the DCE principal with the correct RACF user ID.
- HOMECELL(dce-cell-name)
- Specifies the DCE cell name defined for this RACF user.
The HOMECELL you define to RACF can contain 1 - 1023 characters
and can consist of any character. You can enter the name with or without
single quotation marks, depending on the following: - If parentheses, commas, blanks, or semicolons are entered as part
of the cell name, the character string must be enclosed in single
quotation marks.
- If a single quotation mark is intended to be part of the cell
name, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. The fully qualified
pathname should be specified. RACF does
not ensure that a valid DCE cell name has been specified.
The
HOMECELL assigned to a user must be the same as the DCE cell
name that this user has been defined to.
If the HOMECELL is
not specified, z/OS UNIX DCE single
signon to DCE support assumes that the HOMECELL for this user is the
same cell that this MVS system is defined to.
RACF checks that the prefix of the HOMECELL
name entered has a prefix of either /.../ or /.:/.
The
notation /.../ indicates that the HOMECELL name is
a global domain name service (DNS) cell name or X.500 global name.
The
notation /.:/ indicates that the HOMECELL name is
a cell relative CDS (cell directory service) name. When determining
the naming conventions used within your DCE cell, you should contact
your DCE cell administrator.
- HOMEUUID(home-cell-UUID)
- Specifies the DCE universal unique identifier (UUID) for the cell
that this user is defined to. The UUID is a 36-character string that
consists of numeric and hexadecimal characters. This string must have
the delimiter character (-) in positions 9, 14, 19,
and 24. The general format for the UUID string is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,
in which x represents a valid numeric or
hexadecimal character.
Be careful when assigning UUIDs. The UUID cannot be
randomly assigned. The HOMEUUID is the DCE UUID of the cell that this RACF user is defined to. If HOMEUUID
is not specified, the LISTUSER command displays NONE for the HOMEUUID
field.
Note: The HOMEUUID specified must match the UUID of the
DCE cell to which this principal (specified by the DCENAME operand)
is defined.
- UUID(universal-unique-identifier)
- Specifies the DCE universal unique identifier (UUID) of the DCE
principal defined in DCENAME. The UUID is a 36-character string that
consists of numeric and hexadecimal characters. This string must have
the delimiter character (-) in positions 9, 14, 19,
and 24. The general format for the UUID string is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,
in which x represents a valid numeric or
hexadecimal character.
Be careful when assigning UUIDs. The UUID cannot be
randomly assigned. Note that RACF does
not enforce the uniqueness of each UUID entered. The DCE UUID assigned
to a user must be the same as the DCE UUID assigned when defining
this RACF user to the DCE registry
as a DCE principal that is being cross-linked with this RACF user ID. This DCE principal is specified
using the DCENAME operand.
- DFLTGRP(group-name)
- Specifies the name of a RACF-defined
group to be used as the default group for the user. If you do not
specify a group, RACF uses
your current connect group as the default.
Note: You do not have
to issue the CONNECT command to connect new users to their default
groups.
- DFP
- Specifies
that when you define a user to RACF,
you can enter any of the following suboperands to specify default
values for DFP data application identifier, data class, management
class, and storage class. DFP uses this information to determine data
management and DASD storage characteristics when a user creates a
new data set.
You can control access to an entire DFP segment or
to individual fields within the DFP segment by using field-level access
checking. For more information, see z/OS Security Server RACF Security Administrator's Guide.
- DATAAPPL(application-name)
- Specifies
an 8-character DFP data application identifier.
- DATACLAS(data-class-name)
- Specifies
the default data class. The maximum length of data-class-name is
8 characters.
A data class can specify some or all of the physical
data set attributes associated with a new data set. During new data
set allocation, data management uses the value you specify as a default
unless it is preempted by a higher priority default, or overridden
in some other way, for example by JCL.
For
information on defining DFP data classes, see z/OS DFSMSdfp Storage Administration.
- MGMTCLAS(management-class-name)
- Specifies
the default management class. The maximum length of management-class-name is
8 characters.
A management class contains a collection of management
policies that apply to data sets. Data management uses the value you
specify as a default unless it is preempted by a higher priority default,
or overridden in some other way, for example by JCL.
Note: The
value you specify must be protected by a profile in the MGMTCLAS general
resource class, and the user must be granted at least READ access
to the profile. Otherwise, RACF does
not allow the user access to the specified MGMTCLAS. For more information,
see z/OS Security Server RACF Security Administrator's Guide.
For
information on defining DFP management classes, see z/OS DFSMSdfp Storage Administration.
- STORCLAS(storage-class-name)
- Specifies
the default storage class. The maximum length of storage-class-name is
8 characters.
A storage class specifies the service level (performance
and availability) for data sets managed by the storage management
subsystem (SMS). During new data set allocation, data management uses
the value you specify as a default unless it is preempted by a higher
priority default, or overridden in some other way (for example, by
JCL).
Note: The value you specify must be protected by a profile
in the STORCLAS general resource class, and the user must be granted
at least READ access to the profile. Otherwise, RACF does not allow the user access to the specified
STORCLAS. For more information, see z/OS Security Server RACF Security Administrator's Guide.
For
information on defining DFP storage classes, see z/OS DFSMSdfp Storage Administration.
- EIM
- Specifies
the bind information required to establish a connection with the EIM
domain.
- LDAPPROF(ldapbind_profile)
- Specifies the name of a profile in the LDAPBIND class. The profile
in the LDAPBIND class contains the name of an EIM domain and the bind
information required to establish a connection with the EIM domain.
The EIM services attempt to retrieve this information when it is not
explicitly supplied through invocation parameters. Applications or
other services that use the EIM services might instruct their callers
to define a profile in the LDAPBIND class or the IRR.PROXY.DEFAULTS
profile in the FACILITY class.
The ldapbind_profile specifies
the name of a profile in the LDAPBIND class containing the EIM domain
and the LDAP bind information. The ldapbind_profile name
may be 1 - 246
characters long. It is not a case-sensitive name.
- GRPACC
| NOGRPACC
-
- GRPACC
- Specifies
that any group data sets protected by DATASET profiles defined by
the new user are automatically accessible to other users in the group.
The group whose name is used as the high-level qualifier of the data
set name (or the qualifier supplied by a command installation exit)
has UPDATE access authority in the new profile. GRPACC specified on
the ADDUSER command overrides NOGRPACC specified on the CONNECT command.
- NOGRPACC
- Specifies
that the new user does not have the GRPACC attribute. NOGRPACC is
the default value if you omit both GRPACC and NOGRPACC.
- KERB
- Specifies z/OS Integrated Security Services Network Authentication
Service information
for a user you are defining to RACF.
Each subkeyword defines information that RACF stores in a field within the KERB segment
of the user's profile.
Note: The RACF user
password must be changed to be non-expired in order to complete the
definition of the z/OS Network Authentication Service principal.
The user cannot use any z/OS Network Authentication Service function
until the definition is complete.
- ENCRYPT
- Specifies
which keys the user (the z/OS Network Authentication Service principal)
is allowed to use.
ENCRYPT is the default value when you specify
KERB. The default values for ENCRYPT are DES, DES3, DESD, AES128,
and AES256.
- DES | NODES
- Whether DES encrypted keys can be used.
- DES3 | NODES3
- Whether DES3 encrypted keys can be used.
- DESD | NODESD
- Whether DESD encrypted keys can be used.
- AES128 | NOAES128
- Whether AES128 encrypted keys can be used.
- AES256 | NOAES256
- Whether AES256 encrypted keys can be used.
When a principal's password changes, a key of
each type is generated and stored in the principal's user profile.
The use of each key is based on the z/OS Network Authentication Service configuration.
Important: The
principal's password must be changed to ensure that a key of
each type is generated and stored in the principal's user profile.
See z/OS Integrated Security Services Network Authentication Service Administration for
information about how z/OS Network Authentication Service uses
keys and how to customize environment variables related to keys.
- KERBNAME(kerberos-principal-name)
- Specifies
the z/OS user
ID's local kerberos-principal-name.
The
value specified for the local kerberos-principal-name must
be unique. Consequently, a list of users cannot be specified on an
ADDUSER command with the KERBNAME keyword.
The kerberos-principal-name you
define to RACF can consist
of any character except the @ ( X'7C') character.
You can enter the name with or without single quotation marks, depending
on the following: - If parentheses, commas, blanks, or semicolons are entered as part
of the name, the name must be enclosed in single quotation marks.
- If a single quotation mark is intended to be part of the name
and the entire character string is enclosed in single quotation marks,
you must use two single quotation marks together to represent each
single quotation mark within the string.
- If the first character of the name is a single quotation mark,
you must enter the string within single quotation marks, with two
single quotation marks entered for that single quotation mark.
Guideline: Avoid using EBCDIC variant characters
to prevent problems with different code pages.
Both uppercase
and lowercase characters are accepted and maintained in the case in
which they are entered. However, RACF does
not ensure that a valid kerberos-principal-name has
been specified.
A local kerberos-principal-name must not be
qualified with a realm name when specified with the KERBNAME keyword.
However, RACF verifies that
the local principal name, when fully qualified with the name of the
local realm: /.../local_realm_name/principal_name
does
not exceed 240 characters. For example,
This length verification requires that the REALM profile for
the local realm KERBDFLT be defined and contain the name of the local
realm, prior to the specification of local z/OS Network Authentication Service principals.
Otherwise, z/OS Network Authentication Service users
might not be properly defined.
Note: Because of the relationship
between local realm names and local kerberos-principal-names,
in which the length of a fully qualified name cannot exceed 240 characters,
caution and planning must go into renaming the local realm because
the combined length is only checked by RACF when
a local kerberos-principal-name is added
or altered. Renaming the realm should be avoided as a result.
- MAXTKTLFE(max-ticket-life)
- Specifies
the max-ticket-life in seconds, and is represented
by a numeric value from 1 - 2 147 483 647.
Note that 0 is not a valid value.
If MAXTKTLFE
is specified on the definition of a local z/OS Network Authentication Service principal,
the z/OS Integrated Security Services Network Authentication
Service takes
the most restrictive of the value defined for the local principal
and the value specified on the definition of the local realm (the
KERBDFLT profile in the REALM class). Consequently, if the realm max-ticket-life is
24 hours, a principal cannot get a ticket with a longer lifetime even
if the max-ticket-life is set to 48 hours
in the user profile. If this field is not specified for a local principal,
or if NOMAXTKTLFE has been specified, the maximum lifetime for tickets
created for this principal is determined from the definition of the
local z/OS Network Authentication Service realm.
- LANGUAGE
- Specifies
the user's preferred national languages. Specify this operand if the
user is to have languages other than the system-wide defaults (established
by the LANGUAGE operand on the SETROPTS command).
- If this profile is for a TSO/E user who is to establish an extended
MCS console session, the languages you specify should be one of the
languages specified on the LANGUAGE LANGCODE statements in the MMSLSTxx
PARMLIB member. See your MVS system programmer for this information.
For
more information on TSO/E national language support, see z/OS TSO/E Customization.
- If this profile is for a CICS user,
see your CICS administrator
for the languages supported by CICS on
your system.
For more information, visit CICS Transaction Server for z/OS Information
Center.
- PRIMARY(language)
- Specifies the user's primary language.
- SECONDARY(language)
- Specifies the user's secondary language.
Note: - For the primary and secondary languages, specify either the installation-defined
name of a currently active language (a maximum of 24 characters) or
one of the language codes (three characters in length) for a language
installed on your system.
- The language name can be a quoted or unquoted string.
- The same language can be specified with both PRIMARY and SECONDARY
parameters.
- If the MVS message service is not active, the PRIMARY and SECONDARY
values must be a 3-character language code.
- LNOTES
- Specifies
the Lotus Notes for z/OS information
for the user profile being added.
- SNAME(short-name)
- Specifies the Lotus Notes for z/OS short-name of
the user being defined. This value should match the name stored in
the Lotus® Notes® for z/OS address
book for this user, but this is not verified by the command.
The short-name you
define to RACF can contain
1 - 64
characters. The short-name can contain the
following characters: uppercase and lowercase alphabetic characters
(A - Z, a - z), 0 - 9, & (X'50'), - (X'60'), . (X'4B'), _ (X'6D'),
and blanks (X'40').
If the short-name you
specify contains any blanks, it must be enclosed in single quotation
marks. The short-name is stripped of leading
and trailing blanks.
The value specified for the short-name must
be unique. Consequently, a list of users cannot be specified on an
ADDUSER command with the SNAME keyword.
- MODEL(dsname)
- Specifies
the name of a discrete data set profile that is used as a model when
new data set profiles are created that have userid as
the high-level qualifier. For this operand to be effective, the MODEL(USER)
option (specified on the SETROPTS command) must be active.
RACF always prefixes the data set
name with userid when it accesses the model.
For information about automatic profile modeling, refer to z/OS Security Server RACF Security Administrator's Guide.
- NAME(user-name)
- Specifies the user
name to be associated with the new user ID. You can use a maximum
of 20 alphanumeric or non-alphanumeric characters. If the name you
specify contains any blanks, it must be enclosed in single quotation
marks.
Names longer than 20 characters are truncated to 20 characters
when you enclose the name in quotation marks. However, when you specify
a name longer than 20 characters without enclosing the name
in quotation marks, you receive an error from the TSO parse routine.
If
you omit the NAME operand, RACF uses
a default of twenty # (X'7B') characters
('###…'). Note, however, that the corresponding entry
in a LISTUSER output is the word UNKNOWN.
- NDS
- Specifies
the Novell Directory Services for OS/390 information
for the user profile being added.
- UNAME(user-name)
- Specifies the Novell Directory Services for OS/390 user-name of
the user being defined. The user-name value
should match the name stored in the Novell Directory Services for OS/390 directory
for this user, but this is not verified by the command.
The user-name you
define to RACF can contain
1 - 246
characters. However, the user-name cannot
contain the following characters: * (X'5C'), + (X'4E'), | (X'4F'), = (X'7E'), , (X'6B'), " (X'7F'), ` (X'79'), / (X'61'), : (X'7A'), ; (X'5E'), ¢ (X'4A'), and
brackets [ and ] (X'AD' and X'BD').
If
the user-name you specify contains any parentheses
or blanks, it must be enclosed in single quotation marks. The user-name is
stripped of leading and trailing blanks. If a single quotation mark
is intended to be part of the user-name,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
The value specified for the user-name must
be unique. Consequently, a list of users cannot be specified on an
ADDUSER command with the UNAME keyword.
- NETVIEW
-
- CONSNAME(console-name)
- Specifies
the default master console station (MCS) console name used for this
operator. This default console name is used when the operator does
not specify a console name on the NetView® GETCONID
command.
The console-name value is an
identifier 1 - 8
characters in length whose validity is checked by MVS processing when
the operator tries to use it. See z/OS MVS Planning: Operations for
information on valid values for a particular release.
- CTL
- Specifies
whether a security check is performed for this NetView operator when they try to use a span
or try to do a cross-domain logon.
- GENERAL
- Specifies that checking is done as described for SPECIFIC, and,
in addition, that the operator is allowed to access devices that are
not part of any span.
- GLOBAL
- Specifies that no checking is done.
- SPECIFIC
- Specifies that the operator is allowed to control only devices
that are in spans the operator started, and that a security check
is to be performed through RACROUTE REQUEST=AUTH whenever this operator
attempts to use a span. Also, any cross-domain logon must be to a
domain listed in the operator's NETVIEW segment with the DOMAINS keyword.
SPECIFIC is the default.
- DOMAINS(domain-name …)
- Specifies
the identifiers of NetView programs
in another NetView domain
where this operator can start a cross-domain session. The NetView program identifiers
are coded on the NCCFID definition statement for the other domains,
and represent the name given to that NetView program
on the APPL statement.
Domain-name is
a 1 - 5
character identifier. The characters can be alphabetic, numeric, or
national.
- IC('command | command-list')
- Specifies
the command or command list (up to 255 characters) to be processed
by NetView for this operator
when this operator logs on to NetView.
If
the command or command list you specify contains any commas, blanks,
or other special characters that TSO/E requires to be quoted, it must
be enclosed in single quotation marks.
- MSGRECVR(NO | YES)
- Specifies
whether this operator is to receive unsolicited messages that are
not routed to a specific NetView operator.
- NO
- Specifies that the operator is not to receive the messages.
NO
is the default.
- YES
- Specifies that the operator is to receive the messages.
- NGMFADMN(NO | YES)
- Specifies
whether a NetView operator
has administrator authority to the NetView Graphic
Monitor Facility (NGMF).
- NO
- Specifies that the operator does not have authority.
NO is
the default.
- YES
- Specifies that the operator has the authority.
- NGMFVSPN (view-span)
- Reserved
for future use by the NetView Graphic
Monitor Facility.
- OPCLASS(class …)
- NetView scope classes for which
the operator has authority. The OPCLASS values are only used if NetView is doing the checking
itself, rather than using SAF and the NETCMDS class that RACF provides. If the OPCLASS operand is not
specified, the operator is considered to have authority in scope classes.
The class value is a number from 1 to
2040 that specifies a NetView scope
class.
- OIDCARD
| NOOIDCARD
-
- OIDCARD
- Specifies that the new user
must supply an operator identification card when logging onto the
system. If you specify the OIDCARD operand, the system prompts you
to enter the new user's operator identification card as part of the
processing of the ADDUSER command. If you specify the OIDCARD operand
in a job executing in the background or when you cannot be prompted
in the foreground, the ADDUSER command fails.
- NOOIDCARD
- Specifies
that the new user is not required to supply an operator identification
card. NOOIDCARD is the default value if you omit both OIDCARD and
NOOIDCARD.
- OMVS
- Specifies z/OS UNIX System Services information
for the user being defined to RACF.
Information is stored in the OMVS segment of the user's profile.
You
can control access to an entire OMVS segment or to individual fields
in the OMVS segment by using field-level access checking.
- ASSIZEMAX(address-space-size)
- Specifies
the RLIMIT_AS hard limit (maximum) resource value that processes receive
when they are dubbed a process. The address-space-size you
define to RACF is a numeric
value from 10485760 - 2 147 483 647.
ASSIZEMAX indicates the address space region size in bytes. The soft
limit (current) resource value is obtained from MVS. If the soft limit
value from MVS is greater than the address-space-size,
the soft limit is used.
The value specified for ASSIZEMAX is also
used when processes are initiated by a daemon process using an exec
after setuid(). In this case, both the RLIMIT_AS
hard and soft limits are set to the address-space-size value.
The
value specified for ASSIZEMAX overrides any value provided by the
MAXASSIZE parameter of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.
- AUTOUID | UID
- Specifies whether RACF is
to automatically assign an unused UID value to the user or if a specific
UID value is to be assigned.
- AUTOUID
- Specifies
that RACF is to automatically
assign an unused UID value to the user. The UID value is derived from
information obtained from the BPX.NEXT.USER profile in the FACILITY
class. For more information on setting up BPX.NEXT.USER, see z/OS Security Server RACF Security Administrator's Guide.
If
you are using RRSF automatic command direction for the USER class,
the command sent to other nodes will contain an explicit assignment
of the UID value which was derived by RACF on
the local node.
Rules: - AUTOUID cannot be specified if more than one user ID is entered.
- The AUTOUID keyword is mutually exclusive with the SHARED keyword.
- If both UID and AUTOUID are specified, AUTOUID is ignored.
- Field-level access checking for the UID field applies when using
AUTOUID.
- UID(user-identifier) [SHARED]
-
- UID(user-identifier)
- Specifies
the user identifier. The UID is a numeric value from 0 - 2 147 483 647.
When
assigning a UID to a user, you should make sure that the user's default
group has a GID. A user who has a UID and a current connect group
that has a GID can use functions such as the TSO/E OMVS command and
can access z/OS UNIX files
based on the UID and GID values assigned.
Care should be taken
in assigning 0 as the user identifier. UID 0 is considered a superuser.
The superuser passes all z/OS UNIX security
checks. Assigning a UID to a user ID that appears in the RACF started procedures table (ICHRIN03) should
also be done with care. RACF defined
started tasks that have the trusted or privileged attribute are considered
superusers even if their UID is a value other than 0.
Rules: - If the security administrator has defined the SHARED.IDS profile
in the UNIXPRIV class, the UID value must be unique. Use the SHARED
keyword in addition to UID to assign a value that is already in use.
- If SHARED.IDS is not defined, RACF does
not require the UID to be unique. The same value can be assigned to
multiple users but this is not recommended because individual user
control would be lost. However, if you want a set of users to have
exactly the same access to z/OS UNIX resources,
you might decide to assign the same UID to more than one user.
- The maximum number of user IDs that can share a UID or groups
that can share a GID is 132 when each consists of 8 characters. More
user IDs or groups are available using less than 8 characters. If
the limit is met, you can combine user ID functions (for started tasks
or daemons) to use physically less user IDs sharing the same UID.
You may also use SUPERUSER granularity functionality to reduce the
need to assign and share SUPERUSER authority using UID 0.
- If the UID is not specified, the user is unable to become a z/OS UNIX user and
a LISTUSER for that user ID shows NONE for the UID.
- SHARED
- If the security administrator
has chosen to control the use of shared UIDs, this keyword must be
used in addition to the UID keyword to specify the user identifier
if it is already in use by at least one other user. The administrator
controls shared UIDs by defining the SHARED.IDS profile in the UNIXPRIV
class.
Rules: - If the SHARED.IDS profile is not defined, SHARED is ignored.
- If SHARED is specified in the absence of UID, it is ignored.
- If the SHARED.IDS profile is defined and SHARED is specified,
but the value specified with UID is not currently in use, SHARED is
ignored and UNIXPRIV authority is not required.
- Field-level access checking for the UID field applies when using
SHARED.
- The SHARED keyword is mutually exclusive with the AUTOUID keyword.
- CPUTIMEMAX(cpu-time)
- Specifies
the RLIMIT_CPU hard limit (maximum) resource value that the user's z/OS UNIX processes
receive when they are dubbed a process. The cpu-time you
define to RACF is a numeric
value from 7 - 2 147 483 647.
RLIMIT_CPU indicates the cpu-time in seconds
that a process is allowed to use. The soft limit (current) resource
value is obtained from MVS. If the soft limit value from MVS is greater
than the cpu-time value, the soft limit
is used.
The value specified for CPUTIMEMAX is also used when processes
are initiated by a daemon process using an exec after setuid().
In this case, both the RLIMIT_CPU hard limit and the soft limit are
set to the cpu-time value.
For processes
running in, or forked from TSO or BATCH, the cpu-time value
has no effect. For processes created by the rlogin command or other
daemons, the cpu-time is the time limit
for the address space.
The value specified for CPUTIMEMAX overrides
any value provided by the MAXCPUTIME parameter of BPXPRMxx. For more
information, see z/OS UNIX System Services Planning.
- FILEPROCMAX(files-per-process)
- Specifies
the maximum number of files this user is allowed to have concurrently
active or open. The files-per-process you
define to RACF is a numeric
value from 3 and 524287. FILEPROCMAX is the same as the OPEN_MAX variable
defined in the POSIX standard.
FILEPROCMAX lets you limit the
amount of system resources available to a user process. Select FILEPROCMAX
by considering: - For conformance to standards, set FILEPROCMAX to:
- At least 16 to conform to the POSIX standard, and
- At least 25 to conform to the FIPS standard.
- 256 is a commonly recommended value.
- A process can change its own value for the number of files it
has active or open using the setrlimt() function.
Only processes with appropriate privileges can increase their limits.
- The minimum value of 3 supports the standard files for a process:
standard input, standard output, and standard error.
- The value needs to be larger than 3 to support z/OS UNIX shell
users. If the value is too small, the shell might issue the message, File
descriptor not available.
The value specified for FILEPROCMAX overrides any value
provided by the MAXFILEPROC parameter of BPXPRMxx. For more information,
see z/OS UNIX System Services Planning.
- HOME(initial-directory-name)
- Specifies
the user's z/OS UNIX initial
directory pathname. This is the current working directory for the
user's process when the user enters the TSO/E.
When you define
a HOME directory name to RACF,
it can contain 1 - 1023 characters.
The HOME pathname can consist of any characters and can be entered
with or without single quotation marks. The following rules apply:
- If parentheses, commas, blanks, or semicolons are to be entered
as part of the pathname, the character string must be enclosed in
single quotation marks.
- If a single quotation mark is intended to be part of the pathname,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. The fully qualified
pathname should be specified. RACF does
not ensure that a valid pathname has been specified. If you issue
the ADDUSER command as a RACF operator
command and you specify the pathname in lowercase, you must include
the pathname within single quotations.
If HOME is not specified,
MVS sets the working directory for the user to / (the
root directory). However, the default value is not placed in the user's
profile, and is not displayed when a LISTUSER command is entered.
- MEMLIMIT | NOMEMLIMIT
-
- MEMLIMIT(nonshared-memory-size)
- Specifies the maximum number of bytes of nonshared memory that
can be allocated by the user. The nonshared-memory-size value
must be numeric 0 - 16777215,
followed by the letter M, G, T,
or P. The M, G, T or P letter
indicates the multiplier to be used. The maximum value is 16383P.
|
Decimal |
Binary |
Hexadecimal |
---|
M - megabyte |
1048576 |
2 to the power of 20 |
00000000 00100000 |
G - gigabyte |
1073741824 |
2 to the power of 30 |
00000000 40000000 |
T - terabyte |
1099511627776 |
2 to the power of 40 |
00000100 00000000 |
P - petabyte |
1125899906842624 |
2 to the power of 50 |
00040000 00000000 |
The following are different MEMLIMIT( nonshared-memory-size)
examples: - MEMLIMIT(1M) indicates a nonshared-memory-size
of 1048576 bytes.
- MEMLIMIT(1500M) indicates a nonshared-memory-size
of 1572864000 bytes.
- MEMLIMIT(10G) indicates a nonshared-memory-size
of 10737418240 bytes.
For more extensive information, see z/OS UNIX System Services Planning.
- NOMEMLIMIT
- Specifies
that you want to delete the nonshared memory size from the OMVS segment
of the user's profile.
- MMAPAREAMAX(memory-map-size)
- Specifies
the maximum amount of data space storage, in pages, that can be allocated
by the user for memory mappings of z/OS UNIX files.
Storage is not allocated until memory mappings are active. The memory-map-size you
define to RACF is a numeric
value from 1 - 16777216.
Use of memory map services consumes a significant amount of system
memory. For each page (4KB) that is memory mapped, 96 bytes of ESQA
are consumed when a file is not shared with any other users. When
a file is shared by multiple users, each subsequent user after the
initial user causes 32 bytes of ESQA to be consumed for each shared
page. The ESQA storage is consumed when the mmap() function
is invoked by the application program.
The value specified
for MMAPAREAMAX overrides any value provided by the MAXMMAPAREA parameter
of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.
- PROCUSERMAX(processes-per-UID)
- Specifies
the maximum number of processes this user is allowed to have active
at the same time, regardless of how the process became a z/OS UNIX process.
The processes-per-UID you define to RACF is a numeric value from 3 - 32767.
PROCUSERMAX is the same as the CHILD_MAX variable
defined in the POSIX standard.
PROCUSERMAX allows you to limit
user activity to optimize performance. Select PROCUSERMAX by considering:
- For conformance to standards, set PROCUSERMAX to:
- At least 16 to conform to the POSIX standard, and
- At least 25 to conform to the FIPS standard.
- A user with a UID of 0 is not limited by the PROCUSERMAX value
because a superuser might need to be capable of logging on and using z/OS UNIX services
to solve a problem.
- A low PROCUSERMAX value limits the number of concurrent processes
that the user can run. A low value also limits the user's consumption
of processing time, virtual storage, and other system resources.
- Some daemons run without UID 0, and might create many address
spaces. In these cases, it is necessary to set the limit high enough
for the daemon associated with this user ID to run all of its processes.
Though not recommended, the same OMVS UID
can be given to more than one user ID. If users share a UID, you need
to define a greater number for PROCUSERMAX.
The value specified
for PROCUSERMAX overrides any value provided by the MAXPROCUSER parameter
of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.
- PROGRAM(program-name)
- Specifies
the PROGRAM pathname (z/OS UNIX shell
program). This is the first program started when the TSO/E command
OMVS is entered or when a batch job is started using the BPXBATCH
program.
When you define a PROGRAM pathname to RACF, it can contain 1 - 1023 characters.
The PROGRAM pathname can consist of any characters and can be entered
with or without single quotation marks. The following rules apply:
- If parentheses, commas, blanks, or semicolons are to be entered
as part of the pathname, the character string must be enclosed in
single quotation marks.
- If a single quotation mark is intended to be part of the pathname,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. The fully qualified
pathname should be specified. RACF does
not ensure that a valid pathname has been specified. If you issue
the ADDUSER command as a RACF operator
command and you specify the pathname in lowercase, you must include
the pathname within single quotations.
If PROGRAM is not specified
or if PROGRAM is specified as blanks, MVS gives control to the default z/OS UNIX shell
program. However, the default value is not placed in the user's profile,
and is not displayed when a LISTUSER command is entered.
For
more information about the default z/OS UNIX shell
program supplied with z/OS® UNIX, see z/OS UNIX System Services Planning and z/OS UNIX System Services User's Guide.
- SHMEMMAX | NOSHMEMMAX
-
- SHMEMMAX(shared-memory-size)
- Specifies the maximum number of bytes of shared memory that can
be allocated by the user. The shared-memory-size value
must be numeric 1 - 16777215,
followed by the letter M, G, T,
or P. The M, G, T or P letter
indicates the multiplier to be used. The maximum value is 16383P.
|
Decimal |
Binary |
Hexadecimal |
---|
M - megabyte |
1048576 |
2 to the power of 20 |
00000000 00100000 |
G - gigabyte |
1073741824 |
2 to the power of 30 |
00000000 40000000 |
T - terabyte |
1099511627776 |
2 to the power of 40 |
00000100 00000000 |
P - petabyte |
1125899906842624 |
2 to the power of 50 |
00040000 00000000 |
The following are different SHMEMMAX( shared-memory-size)
examples: - SHMEMMAX(1M) indicates a shared-memory-size of 1048576 bytes.
- SHMEMMAX(1500M) indicates a shared-memory-size
of 1572864000 bytes.
- SHMEMMAX(10G) indicates a shared-memory-size
of 10737418240 bytes.
The value specified for SHMEMMAX overrides any value
provided by the IPCSHMMPAGES parameter of BPXPRMxx. For more information,
see z/OS UNIX System Services Planning.
- NOSHMEMMAX
- Specifies
that you want to delete the shared memory size from the OMVS segment
of the user's profile. The value specified for IPCSHMMPAGES in BPXPRMxx
now applies to the user.
- THREADSMAX(threads-per-process)
- Specifies
the maximum number of pthread_create threads, including
those running, queued, and exited but not detached, that this user
can have concurrently active. The threads-per-process you
define to RACF is a numeric
value from 0 - 100000.
Specifying a value of 0 prevents applications run by this user from
using the pthread_create service.
The value specified
for THREADSMAX overrides any value provided by the MAXTHREADS parameter
of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.
- OPERATIONS
| NOOPERATIONS
-
- OPERATIONS
- Specifies
that the new user has authorization to do maintenance operations on
all RACF-protected data sets, tape volumes, and DASD volumes except
those where the access list specifically limits the OPERATIONS user
to a lower access authority than the operation requires.
The OPERATIONS
attribute allows the user to access VM resources except those where
the resource's access list specifically limits the OPERATIONS user
to a lower access authority.
You establish the lower access
authority for the OPERATIONS user through the PERMIT command. OPERATIONS
specified on ADDUSER overrides NOOPERATIONS specified on the CONNECT
command.
You must have the SPECIAL attribute to enter the OPERATIONS
operand.
- NOOPERATIONS
- Specifies
that the new user is not to have the OPERATIONS attribute. NOOPERATIONS
is the default if you omit both OPERATIONS and NOOPERATIONS.
- OPERPARM
- Specifies
default information used when this user establishes an extended MCS
console session.
You can control access to the entire OPERPARM
segment or to individual fields within the OPERPARM segment by using
field-level access checking. For more information, see z/OS Security Server RACF Security Administrator's Guide.
For
information on planning how to use OPERPARM segments, see z/OS MVS Planning: Operations.
Note: - You need not specify every suboperand in an OPERPARM segment.
In general, if you omit a suboperand, the default is the same as the
default in the CONSOLxx PARMLIB member, which can also be used to
define consoles.
- If you specify MSCOPE or ROUTCODE but do not specify a value for
them, RACF uses MSCOPE(*ALL)
and ROUTCODE(NONE) to update the corresponding fields in the user
profile, and these values appear in listings of the OPERPARM segment
of the user profile.
- If you omit the other suboperands, RACF does
not update the corresponding fields in the user's profile, and no
value appears in listings of the OPERPARM segment of the profile.
- ALTGRP(alternate-console-group)
- Specifies
the console group used in recovery. It can contain 1 - 8 characters.
Valid characters are 0 - 9, A - Z, # (X'7B'), $ (X'5B'),
or @ (X'7C').
Restriction: Starting
with z/OS Version 1 Release 8, console
services ignores ALTGRP(alternate-console-group)
when a session is established and it need not be specified.
- AUTH
- Specifies the authority
this console has to issue operator commands.
If you omit this
operand, RACF does not add
this field to the user's profile. However, an extended MCS console
uses AUTH(INFO) when a session is established.
- MASTER
- Allows this console to act as a master console, which can issue
all MVS operator commands.
- ALL
- Allows this console to issue system control commands, input/output
commands, console control commands, and informational commands.
- INFO
- Allows this console to issue informational commands.
- CONS
- Allows this console to issue console control and informational
commands.
- IO
- Allows this console to issue input/output and informational commands.
- SYS
- Allows this console to issue system control commands and informational
commands.
- AUTO(YES | NO)
- Specifies
whether the extended console can receive messages that have been automated
by the Message Processing Facility (MPF) in the sysplex.
If you
omit this operand, RACF does
not add this field to the user's profile. However, an extended MCS
console uses AUTO(NO) when a session is established.
- CMDSYS(system-name | *)
- Specifies
the system to which commands issued from this console are to be sent.
The system-name value must be 1 - 8 characters.
Valid characters are A - Z, 0 - 9, @ (X'7C'), # (X'7B'),
and $ (X'5B'). If * is
specified, commands are processed on the local system where the console
is attached.
If you omit this operand, RACF does not add this field to the user's profile.
However, an extended MCS console uses CMDSYS(*) when
a session is established.
- DOM
- Specifies
whether this console receives delete operator message (DOM) requests.
If you omit this operand, RACF does
not add this field to the user's profile. However, an extended MCS
console uses DOM(NORMAL) when a session is established.
- NORMAL
- Specifies that the system queues all appropriate DOM requests
to this console.
- ALL
- Specifies that all systems in the sysplex queue DOM requests to
this console.
- NONE
- Specifies that no DOM requests are queued to this console.
- HC(YES | NO)
- Specifies whether
this console is to receive all messages that are directed to hardcopy.
Any route codes specified for a console do not apply to hardcopy messages,
so this console will receive all hardcopy messages regardless of their
specific route code.
If you omit this operand, RACF does not add this field to the user's profile.
However, z/OS console services
uses HC(NO) when a session is established.
- INTIDS(YES | NO)
- Specifies
whether this console is to receive messages directed to console ID
zero (the internal console). Such messages are usually responses to
internally issued commands.
If you omit this operand, RACF does not add this field to
the user's profile. However, z/OS console
services will use INTIDS(NO) when a session is established.
- KEY(searching-key)
- Specifies
a 1 - 8
byte character name that can be used to display information for all
consoles with the specified key by using the MVS command DISPLAY CONSOLES,KEY.
If specified, KEY can include A - Z, 0 - 9, # (X'7B'), $ (X'5B'),
or @ (X'7C').
If you omit this operand, RACF does not add this field to
the user's profile. However, an extended MCS console uses a KEY value
of NONE when a session is established.
- LEVEL
- Specifies
the messages that this console is to receive. The message-level variable
can be a list of R, I, CE, E, IN, NB or ALL. If you specify ALL, you
cannot specify R, I, CE, E, or IN.
If you omit this operand, RACF does not add this field to
the user's profile. However, an extended MCS console uses LEVEL(ALL)
when a session is established.
- NB
- The console receives no broadcast messages.
- ALL
- The console receives these messages: R, I, CE, E, IN.
- R
- The console receives messages requiring an operator reply.
- I
- The console receives immediate action messages.
- CE
- The console receives critical eventual action messages.
- E
- The console receives eventual action messages.
- IN
- The console receives informational messages.
- LOGCMDRESP
- Specifies
if command responses are to be logged.
If you omit this operand, RACF does not add this field to
the user's profile. However, an extended MCS console uses LOGCMDRESP(SYSTEM)
when a session is established. - SYSTEM
- Specifies that command responses are logged in the hardcopy log.
- NO
- Specifies that command responses are not logged.
- MFORM(message-format)
- Specifies
the format in which messages are displayed at the console. Can be
a combination of J, M, S, T, and X:
- J
- Messages are displayed with a job ID or name.
- M
- Message text is displayed.
- S
- Messages are displayed with the name of the originating system.
- T
- Messages are displayed with a time stamp.
- X
- Messages that are flagged as exempt from job name and system name
formatting are ignored.
If you omit this operand, RACF does not add this field to the user's profile.
However, an extended MCS console uses MFORM(M) when a session is established.
- MIGID(YES | NO)
- Specifies
that a 1-byte migration ID is to be assigned to this console. The
migration ID allows command processors that use a 1-byte console ID
to direct command responses to this console.
Restriction: Starting
with z/OS Version 1 Release 7, console
services ignores MIGID(YES | NO) when a session is established and
it need not be specified.
- MONITOR(events)
- Specifies
which information should be displayed when jobs, TSO sessions, or
data set status are being monitored.
If you omit this operand, RACF does not add this field to
the user's profile. However, an extended MCS console uses MONITOR(JOBNAMES
SESS) when a session is established. The events value
can be a list of the following: - JOBNAMES | JOBNAMEST
- Displays information about the start and end of each job. JOBNAMES
omits the times of job start and job end. JOBNAMEST displays the times
of job start and job end.
- SESS | SESST
- Displays information about the start and end of each TSO session.
SESS omits the times of session start and session end. SESST displays
them.
- STATUS
- Specifies that the information displayed when a data set is freed
or unallocated should include the data set status.
- MSCOPE
- Specifies
the systems from which this console can receive messages that are
not directed to a specific console.
If you omit this operand, RACF does not add this field to
the user's profile. However, an extended MCS console uses MSCOPE(*ALL)
when a session is established.
If you specify MSCOPE but omit
a value, RACF uses MSCOPE( *ALL)
to update this field in the user's profile. *ALL
appears in listings of the OPERPARM segment of the user's profile.
- system-name
- Is a list of one or more system names, where system-name can
be any combination of A - Z, 0 - 9, # (X'7B'), $ (X'5B'),
or @ (X'7C').
- *
- Is the system on which the console is currently active.
- *ALL
- All systems.
- ROUTCODE(ALL | NONE | routing-codes)
- Specifies
the routing codes of messages this console is to receive.
If you
omit this operand, RACF does
not add this field to the user's profile. However, an extended MCS
console uses ROUTCODE(NONE) when a session is established.
If
you specify ROUTCODE but omit a value, RACF uses
ROUTCODE(NONE) to update this field in the user's profile. NONE appears
in listings of the OPERPARM segment of the user's profile. The value
for ROUTCODE can be one of the following: - ALL
- All routing codes.
- NONE
- No routing codes.
- routing-codes
- One or more routing codes or sequences of routing codes. The routing
codes can be list of n and n1:n2,
where n, n1, and n2 are
integers 1 - 128,
and n2 is greater than n1.
- STORAGE(amount)
- Specifies
the amount of storage in megabytes in the TSO/E user's address space
that can be used for message queuing to this console. If specified,
STORAGE must be a number from 1 - 2000.
If you omit this operand, RACF does
not add this field to the user's profile. However, an extended MCS
console uses STORAGE(1) when a session is established and a value
of 0 is listed in the OPERPARM segment of the user's profile to indicate
that no storage value was specified.
- UD(YES | NO)
- Specifies
whether this console is to receive undelivered messages. If you omit
this operand, RACF does not
add this field to the user's profile.
Restriction: Starting
with z/OS Version 1 Release 8, console
services ignores UD(YES | NO) when a session is established and it
need not be specified.
- UNKNIDS(YES | NO)
- Specifies
whether this console is to receive messages directed to unknown console
IDs. Unknown consoles are typically one-byte console IDs that the
system cannot unambiguously resolve.
If you omit this operand, RACF does not add this field to
the user's profile. However, z/OS console
services will use UNKNIDS(NO) when a session is established.
- OVM
- Specifies
OpenExtensions VM information for the user being defined. Information
is stored in the OVM segment of the user's profile.
You can control
access to an entire OVM segment or to individual fields within the
OVM segment by using field level access checking.
- FSROOT(file-system-root)
- Specifies
the pathname for the file system root.
When you define the FSROOT
pathname to RACF, it can contain
1 - 1023
characters, consist of any character, and be entered with or without
single quotation marks. The following rules apply: - If parentheses, commas, blanks, or semicolons are entered as part
of the pathname, the character string must be enclosed in single quotation
marks. For example if the pathname is (123), you
must enter FSROOT('(123)').
- If a single quotation mark is intended to be part of the pathname,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
When entering the ADDUSER command, both uppercase and
lowercase characters are accepted and maintained in the case in which
they are entered.
If you do not specify a value for FSROOT
in the OVM segment, VM uses the value specified in the CP directory.
If no value is specified in the CP directory, issue the OPENVM MOUNT
command to mount the appropriate file system.
- HOME(initial-directory-name)
- Specifies
the initial directory pathname. The initial directory is part of the
file system and is the current working directory for the user's process
when the user enters the OPENVM SHELL can contain 1 - 1023 characters,
consist of any character, and be entered with or without single quotation
marks. The following rules apply:
- If parentheses, commas, blanks, or semicolons are entered as part
of the pathname, the character string must be enclosed in single quotation
marks. For example if the pathname is (123), you
must enter HOME('(123)').
- If a single quotation mark is intended to be part of the pathname,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
When entering the ADDUSER command, both uppercase and lowercase
characters are accepted and maintained in the case in which they are
entered.
If no value is specified for HOME in the OVM segment,
VM uses the value specified in the CP directory. If no value is specified
in the CP directory, VM sets the working directory for the user to /,
the root directory.
- PROGRAM(program-name)
- Specifies
the PROGRAM pathname (z/OS UNIX shell
program). This is the first program started when the OPENVM SHELL
command is entered. When you define a PROGRAM pathname to RACF, it can contain 1 - 1023 characters,
consist of any character and be entered with or without single quotation
marks. The following rules apply:
- If parentheses, commas, blanks, or semicolons are entered as part
of the pathname, the character string must be enclosed in single quotation
marks. For example if the pathname is (123), you
must enter PROGRAM('(123)').
- If a single quotation mark is intended to be part of the pathname,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
When entering the ADDUSER command for OVM segment information,
both uppercase and lowercase characters are accepted and maintained
in the case in which they are entered. Specify the fully qualified
pathname, because RACF does
not ensure that a valid pathname has been specified.
If no
value is specified for PROGRAM in the OVM segment, VM uses the value
specified in the CP directory. If no value is specified in the CP
directory, VM gives control to the default z/OS UNIX shell
program (/bin/sh) when a user issues the OPENVM SHELL
command.
- UID(user-identifier)
- Specifies
the user identifier. The UID is a numeric value from 0 - 2 147 483 647.
Care should be taken in assigning 0 as the user identifier. UID
0 is considered a superuser.
If UID is not specified, the user
is assigned the default UID of 4294967295 (X'FFFFFFFF') and
the LISTUSER command for that user ID shows NONE for the UID.
Note: RACF does not require the UID to
be unique. You can assign the same value to multiple users, but this
is not recommended because individual user control is lost. However,
if you want a set of users to have exactly the same access to the
OpenExtensions VM resources, you can assign the same UID to more than
one user.
- OWNER(userid
or group-name)
- Specifies
a RACF-defined user or group to be assigned as the owner of the RACF profile for the user being
added. If you omit this operand, you are defined as the owner.
- PASSWORD | NOPASSWORD
-
- PASSWORD[(password)]
- Specifies the user's initial
logon password. This password is always set expired, thus requiring
the user to change the password at initial logon. Note that the password
syntax rules your installation defines using SETROPTS PASSWORD do
not apply to this password.
If you omit both PASSWORD and NOPASSWORD,
or enter PASSWORD with no value, RACF takes
the group name from the DFLTGRP operand as the default password.
- NOPASSWORD
- Specifies
that the new user does not need to supply an initial logon password
when first entering the system if OIDCARD is also specified. If you
specify NOOIDCARD (or you allow this option to default) and you specify
NOPASSWORD, you define a protected user ID that cannot be used to
enter the system by any means that requires a password to be specified,
such as a TSO logon, CICS signon,
or batch job that specifies a password on the JOB statement. Therefore,
user IDs that you assign to z/OS UNIX, UNIX daemons, started procedures,
applications, servers or subsystems can be protected from being revoked
when an incorrect password is entered. If the user attempts to enter
the system with a password, the attempt fails. Note that the protected
user ID is not revoked due to the failed password attempts even if
the SETROPTS PASSWORD(REVOKE) option is in effect.
Determine which
user IDs you want to protect, ensuring that these user IDs will not
be used in any circumstance where a password must be supplied. A protected
user will have the PROTECTED attribute displayed in the output of
the LISTUSER command. Protected users can be associated with started
procedures defined in the STARTED class (preferred method) or in the
started procedures table (ICHRIN03).
Note: Kerberos information,
such as a local principal name, must not be defined for protected
user IDs and these user IDs must not be used for Kerberos authentication,
because Kerberos authentication failures can result in user revocation.
- PHRASE('password-phrase')
- Specifies
the user's initial password phrase. The password phrase you define
is a text string of up to 100 characters and must be enclosed in single
quotation marks. The password phrase is always set expired, thus requiring
the user to change it on initial use.
When the new-password-phrase exit (ICHPWX11) is present
and allows it, the password phrase can be 9 - 100 characters.
When ICHPWX11 is not present, the password phrase must be 14 - 100 characters.
Contact your system programmer to find out if your installation uses
the new-password-phrase exit (ICHPWX11) or see z/OS Security Server RACF System Programmer's Guide for programming details.
Every user
that you assign a password phrase must have a password. When
you specify PHRASE for a user without specifying PASSWORD, the user
is assigned the default password. When you specify PHRASE with NOPASSWORD,
an error message is issued indicating that the NOPASSWORD operand
is ignored and the user is assigned the default password.
The
following syntax rules apply to all password phrases. You cannot alter
these syntax rules but you can specify additional syntax rules if
your installation tailors the new-password-phrase exit (ICHPWX11).
Syntax rules for password phrases: - Maximum length: 100 characters
- Minimum length:
- 9 characters, when ICHPWX11 is present and allows the new value
- 14 characters, when ICHPWX11 is not present
- Must not contain the user ID (as sequential uppercase or sequential
lowercase characters)
- Must contain at least 2 alphabetic characters (A - Z, a - z)
- Must contain at least 2 non-alphabetic characters (numerics, punctuation,
or special characters)
- Must not contain more than 2 consecutive characters that are identical
- If a single quotation mark is intended to be part of the password
phrase, you must use two single quotation marks together for each
single quotation mark.
If the new-password-phrase exit (ICHPWX11) is
present, it can reject the specified password phrase. RACF rejects password phrases shorter than 14
characters unless ICHPWX11 is present and allows the new value.
If the specified password phrase is accepted, it is
made the user's current password phrase and, when SETROPTS PASSWORD(HISTORY)
is in effect, it is added to the user's password phrase history.
If you omit
PHRASE, no password phrase is assigned. If you enter PHRASE without
a password-phrase value, you are prompted
for a value unless your TSO session is in NOPROMPT mode.
- PROXY
- Specifies
information which the z/OS LDAP
server will use when acting as a proxy on behalf of a requester. The R_proxyserv (IRRSPY00)
SAF callable service will attempt to retrieve this information when
it is not explicitly supplied with the invocation parameters. Applications
or other services which use the R_proxyserv callable
service, such as IBM Policy Director Authorization Services for
z/OS and OS/390, may
instruct their invokers to define PROXY segment information.
- LDAPHOST(ldap_url)
- Specifies
the URL of the LDAP server which the z/OS LDAP
server will contact when acting as a proxy on behalf of a requester.
An LDAP URL has a format such as ldap://123.45.6:389 or ldaps://123.45.6:636,
where ldaps indicates that an SSL connection is desired
for a higher level of security. LDAP will also allow you to specify
the host name portion of the URL using either the text form (BIGHOST.POK.IBM.COM)
or the dotted decimal address (123.45.6). The port
number is appended to the host name, separated by a colon : (X'7A').
For
more information about LDAP URLs and how to enable LDAP servers for
SSL connections, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
The
LDAP URL that you define to RACF can
consist of 10 - 1023
characters. A valid URL must start with either ldap:// or ldaps://. RACF will allow any characters
to be entered for the remaining portion of the URL, but you should
ensure that the URL conforms to TCP/IP conventions. For example, parentheses,
commas, blanks, semicolons, and single quotation marks are not typically
allowed in a host name. The LDAP URL can be entered with or without
single quotation marks, however, in both cases, it will be translated
to uppercase.
RACF does
not ensure that a valid LDAP URL has been specified.
- BINDDN(bind_distinguished_name)
- Specifies the distinguished name (DN)
which the z/OS LDAP server
will use when acting as a proxy on behalf of a requester. This DN
will be used in conjunction with the BIND password if the z/OS LDAP server needs to supply
an administrator or user identity to BIND with another LDAP server.
A DN is made up of attribute value pairs, separated by commas. For
example:
cn=Ben Gray,ou=editing,o=New York Times,c=US
cn=Lucille White,ou=editing,o=New York Times,c=US
cn=Tom Brown,ou=reporting,o=New York Times,c=US
When
you define a BIND DN to RACF,
it can contain 1 - 1023 characters.
The BIND DN can consist of any characters and can be entered with
or without single quotation marks. The following rules apply: - If parentheses, commas, blanks, or semicolons are to be entered
as part of the BIND DN, the character string must be enclosed in single
quotation marks.
- If a single quotation mark is intended to be part of the BIND
DN, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. For more information
about LDAP distinguished names, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
If
you issue the ADDUSER command as a RACF operator
command and you specify the BIND DN in lowercase, you must include
the BIND DN within single quotations.
RACF does not ensure that a valid BIND DN has
been specified.
- BINDPW
- Specifies
the password which the z/OS LDAP
server will use when acting as a proxy on behalf of a requester.
When
you define a BIND password to RACF,
it can contain 1 - 128 characters.
The BIND password can consist of any characters (see exception below)
and can be entered with or without single quotation marks.
Rules: - The BIND password cannot start with the left brace { character (X'8B').
- If parentheses, commas, blanks, or semicolons are to be entered
as part of the BIND password, the character string must be enclosed
in single quotation marks.
- If a single quotation mark is intended to be part of the BIND
password, use two single quotation marks together for each single
quotation mark within the string, and enclose the entire string within
single quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. For more information
about LDAP passwords, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
If
you issue the ADDUSER command as a RACF operator
command and you specify the BIND password in lowercase, you must include
the BIND password within single quotations.
RACF does not ensure that a valid BIND password
has been specified.
Attention: - When the command is issued from ISPF, the TSO command buffer (including
possible BINDPW password data) is written to the ISPLOG data set.
As a result, you should not issue this command from ISPF or you must
control the ISPLOG data set carefully.
- When the command is issued as a RACF operator
command, the command and the possible BINDPW password data is written
to the system log. Therefore, use of ADDUSER as a RACF operator command should either be controlled
or you should issue the command as a TSO command.
- RESTRICTED
| NORESTRICTED
-
- RESTRICTED
- Specifies that global access
checking is bypassed when resource access checking is performed for
the new user, and neither ID(*) on the access list
nor the UACC will allow access. The RESTRICTED.FILESYS.ACCESS profile
in the UNIXPRIV class can also be used to bypass the z/OS UNIX 'other'
permission bits during file access checking for RESTRICTED users.
Note: If
your installation has profiles defined in the PROGRAM class and the
user ID with the RESTRICTED attribute needs to load programs covered
by one or more of these profiles, the user ID or a group to which
the user is connected must be put on the access list with EXECUTE
or READ authority.
- NORESTRICTED
- Specifies
that the new user does not have the RESTRICTED attribute and access
checking is performed the standard way including global access checking, ID(*),
the UACC, and the z/OS UNIX 'other'
permission bits as appropriate. NORESTRICTED is the default value
if you omit both the RESTRICTED and NORESTRICTED keywords.
- SECLABEL(security-label)
- Specifies
the user's default security label, where security-label is
an installation-defined security label name that represents an association
between a particular security level and zero or more security categories.
If the user does not enter a security label when entering the
system, and none is assigned based on the user's port of entry, this
value becomes the user's current security label.
A security
label corresponds to a particular security level (such as CONFIDENTIAL)
with a set of zero or more security categories (such as PAYROLL or
PERSONNEL).
When no profile exists in the SECLABEL class for security-label,
the ADDUSER command fails and the user is not added.
- SECLEVEL(security-level)
- Specifies
the user's security level, where security-level is
an installation-defined security level name that must be a member
of the SECLEVEL profile in the SECDATA class. The security-level that
you specify corresponds to the number of the minimum security level
that a user must have to access the resource.
When you specify
SECLEVEL and the SECDATA class is active, RACF adds security level access checking to
its other authorization checking. If global access checking does not
grant access, RACF compares
the security level allowed in the user profile with the security level
required in the resource profile. If the security level in the user
profile is less than the security level in the resource profile, RACF denies the access. If the
security level in the user profile is equal to or greater than the
security level in the resource profile, RACF continues
with other authorization checking.
Note: RACF does not perform security level checking
for a started task or user that has the RACF privileged
or trusted attribute. The RACF privileged
or trusted attribute can be assigned to a started task through the RACF started procedures table or
STARTED class, or to other users by installation-supplied RACF exits.
When the
SECDATA class is not active, RACF ignores
this operand. When no member of the SECLEVEL profile exists for security-level,
you are prompted to provide a valid security-level.
- SPECIAL
| NOSPECIAL
-
- SPECIAL
- Specifies that the new
user is allowed to issue all RACF commands
with all operands except the operands that require the AUDITOR attribute.
SPECIAL specified on the ADDUSER command overrides NOSPECIAL specified
on the CONNECT command.
You must have the SPECIAL attribute to
enter the SPECIAL operand.
- NOSPECIAL
- Specifies
that the new user is not to have the SPECIAL attribute. NOSPECIAL
is the default if you omit both SPECIAL and NOSPECIAL.
- TSO
- Specifies
that when you define a TSO user to RACF,
you can enter any of the following suboperands to specify default
TSO logon information for that user. Each suboperand defines information
that RACF stores in a field
within the TSO segment of the user's profile.
You can control
access to an entire TSO segment or to individual fields within the
TSO segment by using field-level access checking. For more information,
see z/OS Security Server RACF Security Administrator's Guide.
- ACCTNUM(account-number)
- Specifies
the user's default TSO account number when logging on through the
TSO/E logon panel. The account number you specify must be protected
by a profile in the ACCTNUM general resource class, and the user must
be granted READ access to the profile. Otherwise, the user cannot
log on to TSO using the specified account number.
Account numbers
can consist of any characters, and can be entered with or without
single quotation marks. The following rules apply: - If parentheses, commas, blanks, or semicolons are to be entered
as part of the account number, the character string must be enclosed
in single quotation marks. For example, if the account number is (123),
you must enter ACCTNUM('(123)').
- If a single quotation mark is intended to be part of the account
number, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
A user can change an account number, or specify an account
number if one has not been specified, using the TSO/E logon panel. RACF checks the user's authorization
to the specified account number. If the user is authorized to use
the account number, RACF stores
the account number in the TSO segment of the user's profile, and TSO/E
uses it as a default value the next time the user logs on to TSO/E.
Otherwise, RACF denies the
use of the account number.
Note: When you define an account number
on TSO, you can specify 1 - 40 characters.
When you define a TSO account number to RACF,
you can specify only 1 - 39 characters.
- COMMAND(command-issued-at-logon)
- Specifies
the command to be run during TSO/E logon. TSO/E uses this field to
prime the COMMAND field of the logon panel. The command value can
contain 1 - 80
characters and consist of any characters. You can enter the value
with or without single quotation marks depending on the following
rules:
- If the command value contains parentheses, commas, blanks, or
semicolons, enclose the character string in single quotation marks.
- If a single quotation mark is intended to be part of the command
value, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Both uppercase and lowercase characters are accepted and
maintained in the case in which they are entered. A user can change
the command value, or specify a command if one has not been specified,
using the TSO/E logon panel.
- DEST(destination-id)
- Specifies
the default destination to which the system routes dynamically-allocated
SYSOUT data sets. The destination-id must
be 1 - 7
alphanumeric characters, beginning with an alphabetic or national
character.
- HOLDCLASS(hold-class)
- Specifies
the user's default hold class. The specified value must be 1 alphanumeric
character, excluding national characters.
If you specify the TSO
operand on the ADDUSER command but do not specify a value for HOLDCLASS, RACF uses a default value consistent
with current TSO defaults.
- JOBCLASS(job-class)
- Specifies
the user's default job class. The specified value must be 1 alphanumeric
character, excluding national characters.
If you specify the TSO
operand on the ADDUSER command but do not specify a value for JOBCLASS, RACF uses a default value consistent
with current TSO defaults.
- MAXSIZE(maximum-region-size)
- Specifies
the maximum region size the user can request at logon. The maximum-region-size is
the number of 1024-byte units of virtual storage that TSO can create
for the user's private address space. The specified value must
be an integer 0 - 2096128.
If
you specify the TSO operand on the ADDUSER command but do not specify
a value for MAXSIZE, or specify MAXSIZE(0), RACF uses a default value consistent with current
TSO defaults.
If values are specified for both MAXSIZE and
SIZE and SIZE is greater than MAXSIZE, RACF sets
SIZE equal to MAXSIZE. If a value is specified for only SIZE or MAXSIZE
and SIZE is greater than MAXSIZE, the operand is ignored.
- MSGCLASS(message-class)
- Specifies
the user's default message class. The specified value must be 1 alphanumeric
character, excluding national characters.
If you specify the TSO
operand on the ADDUSER command but do not specify a value for MSGCLASS, RACF uses a default value consistent
with current TSO defaults.
- PROC(logon-procedure-name)
- Specifies
the name of the user's default logon procedure when logging on through
the TSO/E logon panel. The name you specify must be 1 - 8 alphanumeric
characters and begin with an alphabetic character. The name must also
be defined as a profile in the TSOPROC general resource class, and
the user must be granted READ access to the profile. Otherwise, the
user cannot log on to TSO using the specified logon procedure.
A
user can change a logon procedure, or specify a logon procedure if
one has not been specified, using the TSO/E logon panel. TSO/E checks
the user's authorization to the specified logon procedure. If the
user is authorized to use the logon procedure, TSO/E uses it for this
session and stores the name of the procedure in the TSO segment of
the user's profile for use as the default value the next time the
user logs on to TSO/E. Otherwise, TSO/E denies use of the logon procedure.
- SECLABEL(security-label)
- Specifies
the user's security label if one was entered on the TSO LOGON panel.
On subsequent LOGONs, it appears automatically on the panel.
- SIZE(default-region-size)
- Specifies
the minimum region size if the user does not request a region size
at logon. The default region size is the number of 1024-byte units
of virtual storage available in the user's private address space at
logon. The specified value must be an integer 0 - 2096128.
A
user can change the minimum region size, or specify the minimum region
size if one has not been specified, using the TSO/E logon panel. RACF stores this value in the TSO
segment of the user's profile and TSO/E uses it as a default value
the next time the user logs on to TSO/E.
If values are specified
for both MAXSIZE and SIZE and SIZE is greater than MAXSIZE, RACF sets SIZE equal to MAXSIZE.
If a value is specified for only SIZE or MAXSIZE and SIZE is greater
than MAXSIZE, the operand is ignored.
- SYS(sysout-class)
- Specifies
the user's default SYSOUT class. The specified value must be 1 alphanumeric
character, excluding national characters.
If you specify the TSO
operand on the ADDUSER command but do not specify a value for SYS, RACF uses a default value consistent
with current TSO defaults.
- UNIT(unit-name)
- Specifies
the default name of a device or group of devices that a procedure
uses for allocations. The specified value must be 1 - 8 alphanumeric
characters.
- USERDATA(user-data)
- Specifies optional
installation data defined for the user. The specified value must be
4 EBCDIC characters. Valid characters are 0 - 9 and
A - F.
- UACC(access-authority)
- Specifies the
default value for the universal access authority for all new resource
profiles the user defines while the user's default group is the user's
current connect group. The universal access authorities are ALTER,
CONTROL, UPDATE, READ, and NONE. (RACF does
not accept EXECUTE access authority with the ADDUSER command.) If
you omit this operand or specify UACC without an access authority,
the default is NONE.
This operand is group-related. If a user
is subsequently connected to other groups (with the CONNECT command),
the user can have a different default universal access authority in
each group. Therefore, if the user specifies a different group at
logon time or at batch job execution, the user's default UACC is the
UACC of the specified group, not the UACC of the user's default group.
- WHEN
- Specifies the days of the
week and the hours in the day when the user is allowed to access the
system from a terminal. The day-of-week and time restrictions apply
only when a user logs on to the system; that is, RACF does not force the user off the system
if the end-time occurs while the user is logged on. Also, the day
and time restrictions do not apply to batch jobs; the user can submit
a batch job on any day and at any time.
If you omit the WHEN operand,
the user can access the system at any time. If you specify the WHEN
operand, you can restrict the user's access to the system to certain
days of the week or to a certain time period within each day. Otherwise,
you can restrict access to both certain days of the week and to a
certain time period within each day.
- DAYS(day-info)
- Specifies
the days of the week when a user may access the system. The day-info value
can be any one of the following:
- ANYDAY
- The user can access the system on any day. If you omit DAYS, ANYDAY
is the default.
- WEEKDAYS
- The user can access the system only on weekdays (Monday through
Friday).
- day …
- The user can access the system only on the days specified, where day can
be MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, or SUNDAY,
and you can specify the days in any order.
- TIME(time-info)
- Specifies
the time period each day when the user can access the system. The time-info value
can be any one of the following:
- ANYTIME
- Specifies that the user can access the system at any time. If
you omit TIME, ANYTIME is the default.
- start-time:end-time
- Specifies that the user can access the system only during the
specified time period. The format of both start-time and end-time
is hhmm, where hh is
the hour in 24-hour notation (00 - 23) and mm is
the minutes (00 - 59).
Note that 0000 is not a valid time value.
If
start-time is greater than end-time, the interval spans midnight and
extends into the following day.
If you omit DAYS and specify TIME, the time
restriction applies to all seven days of the week. If you specify
both DAYS and TIME, the user can access the system only during the
specified time period and only on the specified days.
- WORKATTR
- Specifies
the user-specific attributes of a unit of work. z/OS elements
or features such as APPC, WLM, and z/OS UNIX might
use the WORKATTR segment.
- WAACCNT(account-number)
- Specifies
an account number for APPC/MVS processing.
You can specify a maximum
of 255 EBCDIC characters.
Use the following rules when entering
a value for this field: - If the account number contains parentheses, commas, blanks, or
semicolons, enclose the character string in single quotation marks.
For example, if the account number is (123), you
must enter WAACCNT('(123)').
- If a single quotation mark is intended to be part of the account
number, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
- WAADDRn(address-line)
- Specifies up
to four additional address lines for SYSOUT delivery. n can
be any number 1 - 4.
For each address-line, you can specify
a maximum of 60 EBCDIC characters. Both uppercase and lowercase characters
are accepted and maintained in the case in which they are entered.
Use
the following rules when entering a value for this field: - If the data contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the data is (123), you must enter WAADDR('(123)').
- If a single quotation mark is intended to be part of the data,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
- WABLDG(building)
- Specifies
the building that SYSOUT information is to be delivered to.
You
can specify a maximum of 60 EBCDIC characters. Both uppercase and
lowercase characters are accepted and maintained in the case in which
they are entered.
Use the following rules when entering a value
for this field: - If the data contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the data is (123), you must enter WABLDG('(123)').
- If a single quotation mark is intended to be part of the data,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
- WADEPT(department)
- Specifies
the department that SYSOUT information is to be delivered to.
You
can specify a maximum of 60 EBCDIC characters. Both uppercase and
lowercase characters are accepted and maintained in the case in which
they are entered.
Use the following rules when entering a value
for this field: - If the data contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the data is (123), you must enter WADEPT('(123)').
- If a single quotation mark is intended to be part of the data,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
- WANAME(name)
- Specifies
the name of the user that SYSOUT information is to be delivered to.
You can specify a maximum of 60 EBCDIC characters. Both uppercase
and lowercase characters are accepted and maintained in the case in
which they are entered.
Use the following rules when entering
a value for this field: - If the data contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the data is (123), you must enter WANAME('(123)').
- If a single quotation mark is intended to be part of the data,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
- WAROOM(room)
- Specifies
the room that SYSOUT information is to be delivered to.
You can
specify a maximum of 60 EBCDIC characters. Both uppercase and lowercase
characters are accepted and maintained in the case in which they are
entered.
Use the following rules when entering a value for
this field: - If the data contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the data is (123), you must enter WAROOM('(123)').
- If a single quotation mark is intended to be part of the data,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Examples
|
|
|
---|
Example 1 |
Operation |
User IA0 wants to define users PAJ5 and ESH25
to RACF and assign RESEARCH
as their default group. |
Known |
User IA0 has JOIN authority to group RESEARCH
and the CLAUTH attribute for the USER class. User PAJ5 and ESH25
are not defined to RACF. User
IA0 is currently connected to group RESEARCH. User IA0 wants to issue
the command as a RACF TSO command.
|
Command |
ADDUSER (PAJ5 ESH25) |
Defaults |
NAME(####################) PASSWORD(RESEARCH)
OWNER(IA0) DFLTGRP(RESEARCH) AUTHORITY(USE) UACC(NONE) NOGRPACC NOADSP
NOSPECIAL NOOPERATIONS NOCLAUTH NOAUDITOR NOOIDCARD |
Example 2 |
Operation |
User WJE10 wants to define user RGH01 to RACF and assign PAYROLL as the
default and owning group. The password is PASS, group authority is
CREATE, and universal access authority is READ. User WJE10 wants to
direct the command to run under the authority of user EPC at ARMNK. |
Known |
User EPC at ARMNK has JOIN authority to group
PAYROLL and the CLAUTH attribute for the USER class. PAYROLL is
not the default group of user EPC at ARMNK.
User RGH01 is not
defined to RACF on node ARMNK.
The
name of user RGH01 is RG Harris.
User WJE10 wants to issue
the command as a RACF TSO command.
WJE10
and EPC at ARMNK have an already established user ID association.
|
Command |
ADDUSER RGH01 DFLTGRP(PAYROLL) OWNER(PAYROLL)
PASSWORD(PASS) NAME('R. G. HARRIS') AUTHORITY(CREATE) UACC(READ) AT(ARMNK.EPC) |
Defaults |
NOSPECIAL NOOPERATIONS NOCLAUTH NOOIDCARD NOAUDITOR |
Example 3 |
Operation |
User RACFMIN wants to define user PIZ30 to RACF with a security category of
NEWEMPLOYEE and a security level of NOSECRETS. User PIZ30 is to be
allowed to use the system only on weekdays between the hours of 8:00
A.M. and 6:00 P.M. |
Known |
User RACFMIN has the SPECIAL attribute. NEWEMPLOYEE
has been defined to RACF as
a valid category, and NOSECRETS has been defined as a valid security
level. The new user's name is John Doe. User RACFMIN wants to issue
the command as a RACF TSO command. |
Command |
ADDUSER PIZ30 NAME('JOHN DOE') ADDCATEGORY(NEWEMPLOYEE)
SECLEVEL(NOSECRETS) WHEN(DAYS(WEEKDAYS)TIME(0800:1800)) |
Defaults |
OWNER(RACFMIN) NOGRPACC NOSPECIAL NOOPERATIONS
NOAUDITOR NOADSP AUTHORITY(USE) |
Example 4 |
Operation |
User TTU01 wants to define user PIZ33 to RACF. User PIZ33 will be the AUDITOR
for the installation, and will have class authority to terminals and
tape volumes. User PIZ33 will not be required to enter a password,
but will be identified through an OIDCARD. |
Known |
User TTU01 has the SPECIAL attribute. User
TTU01 is connected to group RESEARCH.
User PIZ33 is not defined
to RACF.
User TTU01
wants to issue the command as a RACF TSO
command.
|
Command |
Entered in the TSO foreground: ADDUSER PIZ33 NOPASSWORD OIDCARD CLAUTH(TAPEVOL TERMINAL) AUDITOR
User
TTU01 is prompted to enter the OIDCARD for PIZ33.
|
Defaults |
NAME(####################) OWNER(TTU01)
DFLTGRP(RESEARCH) AUTHORITY(USE) UACC(NONE) NOGRPACC NOADSP NOSPECIAL
NOOPERATIONS |
Example 5 |
Operation |
User TTU5 wants to define user RADMIN to RACF. User RADMIN will be a member
of, and be owned by, the SYSINV group and have a model name of RADMIN.RACF.ACCESS. |
Known |
User TTU5 has at least JOIN authority to group
SYSINV and the CLAUTH attribute for the USER class. USER TTU5 wants
to issue the command as a RACF TSO
command. |
Command |
ADDUSER RADMIN DFLTGRP(SYSINV) MODEL(RACF.ACCESS)
NAME('RACF ADMINISTRATOR') AUTHORITY(JOIN) ADSP UACC(NONE) OWNER(SYSINV) |
Defaults |
NOGRPACC, NOSPECIAL, NOOPERATIONS, NOAUDITOR |
Example 6 |
Operation |
User KLEWIS wants to define user TBURNS to RACF and assign TSOTEST as the
default group and TSOADMN as the owner of the user profile for TBURNS.
The user will be allowed to use TSO and will be assigned the following
TSO logon information: - Account number 98765T
- Logon procedure TSPROC3
- Default job class Z
- Default message class Q
- Default hold class X
- SYSOUT class W
- Default region size of 2500
- Maximum region size of 15000.
|
Known |
- User KLEWIS has the SPECIAL attribute.
- 98765T has been defined to RACF as
a profile in the ACCTNUM general resource class, and user TBURNS has
been given READ access to this profile.
- TSPROC3 has been defined to RACF as
a profile in the TSOPROC general resource class, and user TBURNS has
been given READ access to this profile.
- User TBURNS is not defined to RACF.
- User TBURNS's name is T. F. Burns.
- User KLEWIS wants to issue the command as a RACF TSO command.
|
Command |
ADDUSER TBURNS DFLTGRP(TSOTEST) OWNER(TSOADMN)
NAME('T.F. BURNS') TSO(ACCTNUM(98765T) PROC(TSPROC3) JOBCLASS(Z) MSGCLASS(Q)
HOLDCLASS(X) SYS(W) SIZE(2500) MAXSIZE(15000)) |
Defaults |
TSO(NODEST) AUTHORITY(USE) UACC(NONE) NOGRPACC
NOADSP NOSPECIAL NOOPERATIONS NOCLAUTH NOAUDITOR NOOIDCARD |
Example 7 |
Operation |
User JSMITH wants to define user WJONES to RACF and assign SYS05 as the default
group and DFPADMN as the owner of the user profile for WJONES. User
WJONES is assigned the following default information to be used by
DFP when the user creates a new DFP-managed data set: - Data class DFP4DATA
- Management class DFP4MGMT
- Storage class DFP4STOR
- Data application identifier DFP4APPL.
|
Known |
- User JSMITH has the SPECIAL attribute.
- DFP4MGMT has been defined to RACF as
a profile in the MGMTCLAS general resource class, and user WJONES
has been given READ access to this profile.
- DFP4STOR has been defined to RACF as
a profile in the STORCLAS general resource class, and user WJONES
has been given READ access to this profile.
- User WJONES is not defined to RACF.
- User WJONES's name is W. E. Jones.
- User JSMITH wants to issue the command as a RACF TSO command.
|
Command |
ADDUSER WJONES DFLTGRP(SYS05) OWNER(DFPADMN)
NAME('W.E. JONES') DFP(DATACLAS(DFP4DATA) MGMTCLAS(DFP4MGMT) STORCLAS(DFP4STOR)
DATAAPPL(DFP4APPL)) |
Defaults |
AUTHORITY(USE) UACC(NONE) NOGRPACC NOADSP NOSPECIAL
NOOPERATIONS NOCLAUTH NOAUDITOR NOOIDCARD |
Example 8 |
Operation |
The system administrator wants to define user
DAF0 to RACF with her default
group set to RESEARCH, her primary language set to American English
(ENU) and her secondary language set to German (DEU). |
Known |
The user's name is D. M. Brown. The profile owner
is IBMUSER. The system administrator has the SPECIAL attribute. User
DAF0 will have JOIN authority to group RESEARCH. The system administrator
wants to issue the command as a RACF TSO
command. |
Command |
ADDUSER DAF0 DFLTGRP(RESEARCH) NAME('D.
M. BROWN') LANGUAGE( PRIMARY(ENU) SECONDARY(DEU)) OWNER(IBMUSER) AUTHORITY(JOIN) |
Defaults |
UACC(NONE) NOGRPACC NOADSP NOSPECIAL NOOPERATIONS
NOCLAUTH NOAUDITOR NOOIDCARD |
Example 9 |
Operation |
A user with SPECIAL authority requests the addition
of a new z/OS UNIX user. |
Known |
The user profile will be owned by the z/OS UNIX administrator's
user ID, SYSADM, and will be a member of the existing group SYSOM
which is associated with a GID. The user wants to issue the command
as a RACF TSO command. |
Command |
ADDUSER CSMITH DFLTGRP(SYSOM) OWNER(SYSADM)
NAME('C.J. SMITH') OMVS(UID(147483647) HOME(/u/CSMITH) PROGRAM(/bin/sh)) |
Example 10 |
Operation |
A user with SPECIAL authority requests the addition
of a new DCE user. |
Known |
The user profile is owned by the system administrator's
user ID, SYSADM, and is a member of the existing group SYSOM which
is associated with a GID. This DCE user has been assigned a DCE UUID
of 004386ea-ebb6-1ec3-bcae-10005ac90feb and a DCE
principal name of charlie. This z/OS UNIX DCE user
is a principal of the /.../elvis.memphis.ibm.com DCE
cell. The UUID for the /.../elvis.memphis.ibm.com DCE
cell is 003456ab-ecb7-7de3-ebda-95531ed63dae. |
Command |
ADDUSER CSMITH DFLTGRP(SYSOM) OWNER(SYSADM) NAME('C.J. SMITH')
OMVS(UID(27) HOME(/u/csmith) PROGRAM(/bin/sh))
DCE(UUID(004386ea-ebb6-1ec3-bcae-10005ac90feb) +
DCENAME(charlie) HOMECELL(/.../elvis.memphis.ibm.com) +
HOMEUUID(003456ab-ecb7-7de3-ebda-95531ed63dae))
|
Defaults |
DCE(AUTOLOGIN(NO)) |
Example 11 |
Operation |
Lotus Notes user RACFADM with SPECIAL
or UPDATE authority requests the addition of a new user with Lotus Notes and NDS information. |
Known |
The user profile is owned by RACFADM and belongs
to RACFADM's current connect group SYSOM. |
Command |
ADDUSER PCUSER1 LNOTES(SNAME('NEW-GUY
1')) NDS(UNAME(DIRADMIN)) |
Defaults |
DFLTGRP(SYSOM) OWNER(RACFADM) |
Example 12 |
Operation |
User RACFADM with SPECIAL or UPDATE authority
requests the addition of a new z/OS UNIX user.
The user specifies AUTOUID so that RACF will
automatically assign an unused UID to the new user. |
Known |
The user profile is owned by RACFADM and belongs
to RACFADM's current connect group SYSOM. The BPX.NEXT.USER profile
in the FACILITY class has been set up to allow automatic UID assignment. |
Command |
ADDUSER UNIXUSR OMVS(AUTOUID HOME('/u/unixusr')
CPUTIMEMAX(5000) ASSIZEMAX(40000000)) |
Defaults |
DFLTGRP(SYSOM) OWNER(RACFADM) |
Example 13 |
Operation |
User RACFADM with SPECIAL or UPDATE authority
requests the addition of a new z/OS UNIX superuser. |
Known |
The user profile is owned by RACFADM and belongs
to RACFADM's current connect group SYSOM. Shared UIDs are being controlled,
and at least one superuser already exists, so SHARED must be specified. |
Command |
ADDUSER SUPERGUY OMVS(UID(0) SHARED
HOME('/') PROGRAM('/bin/sh)) NOPASSWORD |
Defaults |
DFLTGRP(SYSOM) OWNER(RACFADM) |
Example 14 |
Operation |
User RACFADM with SPECIAL authority adds the user
ID PUBLIC and assigns it restricted access. User IDs RACFU00 and USER004
are added, but are not assigned any restrictions. In this example,
the PUBLIC user ID does not have access to RACFU00's data sets because
it has RESTRICTED access. |
Known |
User RACFADM has SPECIAL authority. |
Command |
ADDUSER PUBLIC RESTRICTED
ADDUSER RACFU00 NORESTRICTED
ADDUSER USER004
ADDSD 'RACFU00.*' UACC(READ)
|
Defaults |
USER004 has NORESTRICTED access by default. |
Example 15 |
Operation |
A user with SPECIAL authority requests the addition
of a z/OS Integrated Security Services Network Authentication
Service account
within the local realm for a user whose RACF user
profile is RONTOMS. MAXTKTLFE is not specified, so the value specified
on the definition of the local realm KERBDFLT in the REALM class is
used. Note that the user's RACF password
must be changed before the definition of the z/OS Network Authentication Service account
is complete. |
Known |
User RONTOMS wants to define his z/OS Integrated Security Services Network Authentication
Service information. |
Command |
ADDUSER RONTOMS KERB(KERBNAME('KerberizedUser')) |
Example 16 |
Operation |
User RACFADMN issues a command to add a new
user MRSERVER with an EIM segment and LDAP profile that is related
to an LDAPBIND class for the specified user to use with EIM. |
Known |
eimdomainALookup is a profile in the LDAPBIND
class that defines the EIM LDAP values required for EIM processing |
Command |
ADDUSER MRSERVER EIM(LDAPPROF(eimdomainALookup)) |
Example 17 |
Operation |
User SECADM wants to define a new user ANDREW
and add custom field data for multiple fields. |
Known |
User SECADM has the SPECIAL attribute. Custom
fields called EMPSER, ADDRESS, PHONE, CODE,
and ACTIVE are already defined with attributes that
allow the custom data values specified in the command example. The
systems programer has already rebuilt the dynamic parse table using
the IRRDPI00 UPDATE command. |
Command |
ADDUSER ANDREW CSDATA(EMPSER(256400)
ADDRESS('14 Main Street, Anywhere, IL 01234')
PHONE(555-555-5555)
CODE(FC01B2D8)
ACTIVE(NO))
|
|