USS GROUP Processing In Top Secret

book

Article ID: 241769

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

How do type GROUP ACIDs work in Top Secret? Is it similar to the GRPLIST in RACF? A DFLTGRP is required for any ACID accessing USS and this default group must also be specified as a GROUP for the ACID. What is the purpose of adding more than one GROUP to an ACID? Does the order matter with multiple groups?

Environment

Release : 16.0

Component : Top Secret for z/OS

Resolution

Top Secret behaves as if RACF list-of-groups is set. In other words, Top Secret works like the GRPLIST in RACF is set. Supplemental groups should work if they contain a GID. (IBM recommends all groups contain a GID.) If the Top Secret ACID has multiple groups, authority checks for access to z/OS UNIX files and directories use the GID in the user's current connect group and up to 300 supplementary groups.

For example, an ACID has 2 groups, OMVSGRP and TESTGRP. The acid had a non zero UID and the UID is not the owner of the file. Access is attempted to the following file:

----rwx---  --s-  2 USER1     TESTGRP     4347 May  7  2018 test

Even if the ACID signs on with a group of OMVSGRP, which is not authorized to the file, the ACID is still allowed to access the file because the ACID has TESTGRP, which is the owning group for the file and has read, write, and execute access. The order of the groups on the ACID does not matter.

NOTE: The permissions for group take priority over permissions for other. And in turn, permissions for user take priority over both. If the ACID above was OMVS (the owner of the file), access would be denied because the owner’s permission bits are 000, which does not allow any access.