Define the System User ID With UNIXPRIV Profiles

Resource names in the UNIXPRIV class are associated with z/OS UNIX privileges. In order to use authorization to grant z/OS UNIX privileges, you must define profiles in the UNIXPRIV class protecting these resources. The UNIXPRIV class must be active. If you are using RACF, SETROPTS RACLIST must be in effect for the UNIXPRIV class.

To use profiles in the UNIXPRIV class to grant authorization for superuser privileges to a server system ID that does not have superuser authority (UID=0), you must assign:

READ access for SUPERUSER.FILESYS.CHOWN

CONTROL access for SUPERUSER.FILESYS

Note:

It is strongly recommended that you do not assign TSO privileges to the UNIXPRIV user ID. This can be done by adding the keyword NOPASSWORD to the RACF command ADDUSER.
The installation routine ISETUP will ask for the server system ID (default ISERVER). It checks if the supplied userid has a UID of 0. If it does not, UNIXPRIV authorization is assumed. This results in an entry in the ibi/srv93/WFS/bin/edaserve.cfg file as follows:
```
server_system_id = ISERVR3/PRIV
```
rather than
```
server_system_id = ISERVER
```

If you installed the software with the server system ID pointing to a superuser ID (UID=0), and then decide to use the UNIXPRIV user ID, the value in the edaserve.cfg file must reflect the /PRIV syntax. Edit the file manually or by using the WebFOCUS Reporting Server browser interface, click Workspace, Configuration/Monitor. Open the Configuration Files folder, double-click Workspace, and change the server_system_id value before starting the server.

For more information about UNIXPRIV authorization, for:

RACF, see the IBM Security Server RACF Security Administrator's Guide.
ACF2, see the eTrust CA-ACF2 Security Cookbook.
Top Secret, see the eTrust CA-Top Secret Security Cookbook.

System User ID With UNIXPRIV

The server system ID requires different authorities in order to be used with UNIXPRIV. The following RACF example lists the authorities for a system server ID with UNIXPRIV authorization, named ISERVR3. Authorizations for your site may differ.

Occurrences of ISERVR3

In standard access list of general resource profile UNIXMAP U100122

In standard access list of general resource profile TSOAUTH RECOVER

In standard access list of general resource profile TSOAUTH JCL

In standard access list of general resource profile ACCTNUM EDA

In standard access list of general resource profile UNIXPRIV

   SUPERUSER.FILESYS.CHOWN

In standard access list of general resource profile UNIXPRIV

   SUPERUSER.FILESYS

Owner of profile ISERVR3.* (G)

First qualifier of profile ISERVR3.* (G)

In access list of group EDA

User entry exists

Did you find this helpful?

Yes No