Is there is limit on the number of OMVS Groups that a user is connected to within OMVS and as it related to the login?

book

Article ID: 14674

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction



Is there is limit on the number of OMVS Groups that a user is connected to within OMVS and as it related to the login?

Environment

Release:
Component: ACF2MS

Resolution

According to IBM documentation there is a z/OS UNIX limit of groups to which a used is associated with the processor or user in z/OS UNIX.

"RACF allows you to define and connect a user to more than 300 groups, but when a process is created or z/OS UNIX group information is requested, only up to the first 300 z/OS UNIX groups are associated with the process or user. The first 300 z/OS UNIX groups that have GIDs to which a user is connected are used by z/OS UNIX. LISTUSER displays the groups in the order that RACF examines them when determining which of the user's groups are z/OS UNIX groups" 

ACF2 allows for the specification of a Default GROUP in each user's logonid record in addition to Supplemental Groups: 

Under z/OS UNIX System Services and CA ACF2 , a user is a member of the group defined in the GROUP field of his logonid, and a member of any other group that he has access to through a resource rule. These groups are called supplemental groups and a list of the allowed groups is built for each signon. When group access checks are performed for HFS file access, CA ACF2 compares the GID of the file to the GID of the group defined in the logonid. If those GIDs do not match, CA ACF2 checks to see if the file's GID matches the GID of any of the supplemental groups. If it matches, then CA ACF2 uses the GROUP permissions to determine the user's access to the file. 

The UNIXOPTS GSO record NGROUPS parameter sets the maximum size of the supplemental group list created for each signon. The number of entries is set within the range of 0 through 8192 with 300 being the default. 

Note that the ACF2 NGROUPS Default matches the z/OS UNIX limitation for the number of GROUPS.