How Do TSS Control Options UNIQUSER And MODLUSER Operate?

book

Article ID: 48880

calendar_today

Updated On:

Products

CA Cleanup CA Datacom - DB CA Datacom CA Datacom - AD CA Datacom - Server CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE

Issue/Introduction

Description:

If the model user has no UID, does the automatic UID assignment work if UNIQUSER is ON?

If the answer is YES, is the UID on model user necessary?

Regarding MODLUSER(acid), should the ACID be given the fields UID, HOME, OMVSPGM, OECPUTM,PROCUSER, ASSIZE,THREADS,MMAPAREA,MEMLIMIT, and SHMEMMAX?

Solution:

This process hinges on the MODLUSER, UNIQUSER, DFLTRNGU and DFLTRNGG Control Options.

UNIQUSER determines whether or not a unique UID/GID is assigned to users who attempt to sign into USS without USS credentials. If set to ON then a UID should be assigned and the other attributes from the model acid copied.

MODLUSER defines the model acid containing the OMVS attributes to be modeled.

DFLTRNGU(xxx,yyy) defines the range of the UID numbers assigned to the acid. f no range is defined the default is from 1 to 2,147,483,647

DFLTRNGG(xxx,yyy) defines the range of the GID numbers assigned to the group acid. If no range is defined the default is from 1 to 2,147,483,647

The algorithm is that the next available UID/GID within the specified range is chosen.

In other words:

With UNIQUSER set a user will be assigned a new UID according to the range specified in DFLTRNGU at entry into USS aslong as the model user is set up with the MODLUSER Control Option. The UID does not need to be set to UID(?) for the MODLUSER acid, any value for UID on the model user is sufficient. In fact, no UID is required on the model acid at all.

As long as UNIQUSER and MODLUSER are set the UID will be assigned.

As for the group/gid, a group and dfltgrp must be assigned to the acid prior to logging into uss. If a user signs on with a group that has no assigned GID then a unique one will be assigned as long as UNIQUSER is set. As expected, the GID will be chosen based upon the DFLTRNGG Control Option.

Top Secret will not create or assign a group to the acid signing into USS either as a GROUP or DFLTGRP.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: