GID auto assignment clarification.
search cancel

GID auto assignment clarification.


Article ID: 32790


Updated On:


Top Secret Top Secret - LDAP




Regarding the UNIQUSER() CA Top Secret control option, the documentation states:

Assigns a UID to the signed-on session ACID of any user who logs on to OMVS without an OMVS segment. The assignment is equivalent to the UID being added by the administrator through a TSS command. If you have specified the MODLUSER control option, the ACID also receives OMVS segment information from the ACID specified in the MODLUSER control option. If the DFLTGRP assigned to the session ACID has not been assigned a GID, a GID is automatically assigned to the DFLTGRP.


Regarding the MODLUSER() CA Top Secret control option, the documentation states:

If the session ACID has no DFLTGRP, the MODLUSER DFLTGRP is also copied. If the DFLTGRP GROUP assigned to the session ACID has not been assigned a GID, an automatic GID is assigned to the GROUP.


How does all of this work together? See Instructions: section below.





Effectively, an ACID must have a GROUP and a DFLTGRP assigned to it for the auto assignment work.

If the DFLTGRP doesn't have a GID, the auto assignment will add one.

If the ACID doesn't have a GROUP/DFLTGRP assigned, the OMVS access will fail, but the OMVS segment will be still added. UNIQUSER(ON) MODLUSER(*NONE*)

This is because adding an UID to an acid will create an OMVS segment only containing the UID value. Then the acid will have an OMVS segment with only an UID specified and still no GROUP/DFLTGRP.


The auto assignment uses the next available unique UID or GID unless the default ranges are set in the DFLTRNGU and DFLTRNGG control options. If these are set, the next available unique UID or GID within the range specified in DFLTRNGU and DFLTRNGG, respectively, will be used.


E.g. An ACID has no OMVS segment, but has a group and a default group without a GID() added to it. UNIQUSER(ON) MODLUSER(*NONE*)  

When the ACID will access to OMVS an UID() will be added to it and a GID() will be added to its default group by the auto assignment CA Top Secret feature.

It also means that this ACID will not have an OMVSPGM() specified and will not have a HOME() directory within its OMVS segment.


E.g. An ACID has no OMVS segment, no GROUP, and no DFLTGRP. UNIQUSER(ON) and MODLUSER(OMVSUSR).

ACID OMVSUSR has the following:



TYPE       = USER      SIZE       =      512  BYTES        


CREATED    = 20/03/00  00:00  LAST MOD   = 11/09/15  09:08

GROUPS     = OMVSGRP                                       

DFLTGRP    = OMVSGRP                                       

-----------  SEGMENT OMVS                                  

HOME       = /u/&acid                                      

OMVSPGM    = /bin/sh                                       

UID        = 0099999999                                    


This ACID will inherit the OMVS segment from ACID OMVSUSR, including its GROUP and DFLTGRP. The auto assignment will add a new UID().

The HOME directory will be /u/myacid, the &acid is replaced by the ACID .


E.g. An ACID has no OMVS segment but has a GROUP and DFLGRP without a GID added to it. UNIQUSER(ON) and MODLUSER(OMVSUSR).

This ACID will inherit the OMVS segment from ACID OMVSUSR and keep its own GROUP and DFLTGRP. The auto assignment will add a new UID() to the ACID and will add a GID() to its DFLGRP().

The HOME directory will be /u/myacid (the &acid is replaced by the ACID).                 



Additional Information:


Refer to the CA Top Secret Control Options Guide for additional details about the UNIQUSER and MODLUSER control options.
To remove an entire OMVS segment, issue:
To reset the MODLUSER() control option, issue:


Release: TOPSEC00200-15-Top Secret-Security