Defining users and default groups assigned to server and controller

Users assigned to run the server or the daily planning batch job within the end-to-end with fault tolerance capabilities environment, must have access to Unix System Services (USS). You can use RACF® commands to define users to Unix System Services; attributes are kept in the OMVS segment of a user's profile and can be specified in addition to other existing attributes.

To use USS, a user must be defined the following USS attributes:
  • User identifier (UID) in his user profile
  • Group identifier (GID) in the group profile of his default group

All users defined to access USS must have a UID and a GID, regardless of the fact that they run the server or the daily planning batch job. An incorrect definition of a user on RACF® might cause serious errors and unpredictable behavior in the system.

The RACF® documentation provides the following guidelines to define users and groups for access to USS:
  • Assign only to one user a UID equal to zero. You might choose to assign the UID with value 0 to multiple RACF® user IDs. However, you should seek to minimize the attribution of superuser authority in your installation. You can accomplish this by setting USS user limits, and by managing superuser privileges through UNIXPRIV profiles.
  • Although the same GID can be assigned to multiple RACF® groups, this is not recommended. If you assign the same GID to multiple groups, control at the individual group level is lost because the GID is used in USS security checks. RACF® groups having the same GID are treated as a single group during USS security checks.
  • RACF® does not require the UID to be unique. The same value can be assigned to multiple users but this is not recommended because individual user control would be lost. However, if you want a set of users to have exactly the same access to the OpenEdition resources, you might decide to assign the same UID to more than one user. Users with the same UID assignment are treated as a single user during USS security checks.

To avoid problems on Unix System Services (and consequently on IBM Z Workload Scheduler) when assigning a user identifier to a user, make sure that also the user's default group has an assigned group identifier. A user with a UID and a GID for its default group can use Unix System Services functions and access USS files based on the assigned UID and GID values. If no UID and GID are available as described, the user has no access to USS functions.