|
This summary presents the steps required by RACF® and related IBM® licensed programs to define users to RACF. Your installation might require
additional steps, depending on your security policy and the products
you have installed. - Prepare to create the user profile as follows:
- Decide which default connect group to assign to the user. If a
group profile does not yet exist for the group, create the group using
the procedure described in Summary of steps for defining a RACF group.
- Decide which user ID to assign to the user.
- Decide which user or group is to be the owner of the user profile.
(If the owner is a user, give him or her the information needed to
manage the new profile.)
- Decide what initial password to assign to the user. (If you do
not specify a password, the new user's default group name becomes
the new user's initial password. You might prefer to specify a non-trivial
password.)
- Decide if the user should be allowed to use a password phrase
to access the system and if so, choose the user's initial password
phrase.
- Determine if the user's access to the system should be limited
to certain days of the week, hours of the day, or both.
- Decide which user attributes (such as SPECIAL or AUDITOR) the
user should have, and whether the user attributes should be limited
to the scope of a group (group-SPECIAL or group-AUDITOR).
- If security labels are used, decide which security label to assign
to the user.
- Decide whether the user can establish user ID associations to
enable password synchronization and command direction between user
IDs. See The RACF remote sharing facility (RRSF) for more information.
- If DFSMSdss is
in use, work with the storage administrator to do the following:
- Determine the initial values in the user's DFP segment.
- Determine which DFP resources the user should have access to.
- Determine which primary and secondary languages the user should
have (if they should be different from the installation defaults set
by the SETROPTS command).
- If you want to authorize the user to establish an extended MCS
console session, work with the system operations planner to determine
the initial values in the user's OPERPARM segment. For more information,
see The OPERPARM segment in user profiles and z/OS MVS Planning: Operations.
- If the user is a CICS® user,
work with the CICS administrator
to do the following:
- Work with the APPC administrator to do the following:
- Determine the initial values in the user's WORKATTR segment.
- Determine which APPC/MVS resources the user should have access
to.
- Create the user profile. You can use any of the following methods:
Here is an example of using the ADDUSER command to create
a user profile. Suppose you want to create a user profile for user
Steve H., a member of Department A. You want to assign the following
values: - STEVEH for the user ID
- DEPTA for the default connect group
- DEPTA for the owner of the STEVEH user profile
- R3I5VQX for the initial password
- Steve H. for the user's name
Steve H. does not require any of the user profile segments
except TSO. The TSO segment values that you want to set to start with
are 123456 for the account number and PROC01 for the logon procedure.
To
create a user profile with these values, enter: ADDUSER STEVEH DFLTGRP(DEPTA) OWNER(DEPTA) NAME('Steve H.')
PASSWORD(R315VQX) TSO(ACCTNUM(123456) PROC(PROC01))
- Create a top generic profile for the user in the DATASET
class using the ADDSD command.
For example, if the user's user ID
is STEVEH, enter: ADDSD 'STEVEH.**' UACC(NONE)
- If users at your installation manage their own resource profiles,
give them the information they need. For example, they might need
to use portions of z/OS Security Server RACF Command Language Reference.
- If the user is to define general resource profiles, (as, for example,
an administrator might), give the user the CLAUTH attribute in the
appropriate classes and the information needed for working with those
profiles, for example, the JESSPOOL class.
- If needed, give the user access to RACF-protected resources. This
can be done using one or both of the following:
|