Description:

The RACF UNIXPRIV class does the following. It allows sites to enforce unique UNIX identifiers by defining a profile called SHARED.IDS in the UNIXPRIV class.

To control the use of shared IDs, a profile called SHARED.IDS in the UNIXPRIV class can be defined. This profile enables each method of automatic assignment of unique UNIX identities. Once the SHARED.IDS profile is defined, you can make an exception and create a shared ID (as might be the case for UID 0), you must use the SHARED operand when you add or modify the OMVS segment of a user or group. To specify the SHARED operand, you must have the SPECIAL attribute or at least READ authority to the SHARED.IDS profile in the UNIXPRIV class.

Solution:

The ACF2 equivalent to the RACF UNIXPRIV class SHARED-IDS to enforce unique UNIX identifiers(UID and GID) is implemented with the use of the ACF2 GSO UNIXOPTS UNIQUSER|NOUNIQUSER and the GSO AUTOIDOM record.

The GSO UNIXOPTS UNIQUSER|NOUNIQUSER:

"Specifies whether the BPX.UNIQUE.USER profile is active. If UNIQUSER is active and GSO AUTOIDOM is active and is set to auto-assign UIDs and GIDs, new OMVS profile records are automatically generated with UIDs and GIDs when users access OMVS services."

The GSO AUTOIDOM record:

"The AUTOIDOM record defines options for the automatic assignment of UID and GID values for PROFILE(USER),DIV(OMVS), and PROFILE(GROUP),DIV(OMVS) records."

When the GSO UNIXOPTS UNIQUSER is specified, and when the GSO AUTOIDOM ASSIGNU and ASSIGNG fields are set, enforcement of unique UID and GID auto assignment will occur. Note that an ACF2 Administrator with the SECURITY and ACCOUNT privilege will be allowed to assign a non-unique UID or GID as an exception and a warning message will be issued.

Manual explicit assignment of a non-unique UID by an ACF2 Security Administrator will work and the following warning message is issued:

ACF6D085 UID is not unique - record INSERTED

Auto-assignment of a non-unique UID will fail with the following error message:

ACF0A064 Automatic UID assignment is not possible. There are no more values available

Details on the ACF2 GSO UNIXOPTS record can be found in the r15 CA ACF2 for z/OS Administration Guide in Chapter 14: Maintaining Global System Options Records in section 'UNIX System Services Options (UNIXOPTS)'.

Details on the ACF2 GSO AUTOIDOM record can be found in the r15 CA ACF2 for z/OS Administration Guide in Chapter 14: Maintaining Global System OptionsRecords in section 'Automatic UID/GID Assignment Options (AUTOIDOM)'.

-