A new privilege, the POSIX-ADMINISTRATION privilege, has been introduced for POSIX. Owners of this privilege are referred to as POSIX administrators in this manual, and they have the following tasks and rights:
administration of the POSIX user attributes of all BS2000 user IDs on all pubsets (see "Assigning POSIX user attributes")
administration of default values for the POSIX user attributes on all pubsets (see "Defining default values for POSIX user attributes")
The POSIX-ADMINISTRATION privilege is automatically linked to the SYSROOT system ID. This privilege cannot be withdrawn by SYSROOT.
The security administrator (SECURITY-ADMINISTRATION privilege) can also grant the POSIX-ADMINISTRATION privilege to other BS2000 user IDs, and likewise withdraw it. The SECOS software product is required for this process.
SYSROOT is the POSIX counterpart to the system administrator ID root in UNIX systems. SYSROOT is set up following BS2000 system startup and automatically receives the user number 0. No other user ID can be assigned to SYSROOT.
Holders of the USER-ADMINISTRATION privilege also receive authorization to administer the POSIX user attributes. In this instance, they are treated as if they were POSIX administrators.
The authorization of the group administrator of the *UNIVERSAL group is extended to include the POSIX user attributes. When administering the POSIX user attributes on the pubset managed by the user, the user is treated as if he/she has the USER-ADMINISTRATION privilege. In this case, the restrictions for group administrators within the user’s hierarchy described below do not apply to the user.
Group administrators may also administer POSIX user attributes. However, the following restrictions apply:
They cannot administer the default values for the POSIX user attributes.
The type of POSIX user attributes which they can use depends on their authorization (ADM-AUTHORITY).
The value range of the POSIX user attributes is restricted for group administrators.
They can only administer the group and subgroup members for whom they are responsible.
The following table gives an overview of the responsibilities and activities associated with POSIX user administration. Note that the administrators require certain privileges. Some functions are performed on the BS2000 level, the shell level, or both.
Function/activity | Privilege | Command, etc. | Enter in | See |
Show POSIX status | SUBSYSTEM-MANAGEMENT | /SHOW-POSIX-STATUS | BS2000 | |
Grant/withdraw the POSIX-ADMINISTRATION privilege | SECURITY-ADMIN. | /SET-PRIVILEGE | BS2000 | "SECOS" [9] manual |
Assign POSIX user attributes | USER-ADMIN. or | /MODIFY-POSIX-USER-ATTRIBUTES | BS2000 | |
Assign an individual user number to a BS200 user ID | USER-ADMIN. | /MODIFY-POSIX-USER-ATTRIBUTES | BS2000 | |
Administer POSIX groups in BS2000 | USER-ADMIN. or | /MODIFY-POSIX-USER-ATTRIBUTES: | BS2000 | "Administering BS2000 and POSIX groups", |
Administer POSIX groups in POSIX | Root authorization | File /etc/group | POSIX shell | "Administering BS2000 and POSIX groups", |
Add new POSIX users | USER-ADMIN., | /ADD-USER and | BS2000 | |
Define defaults for POSIX user attributes | USER-ADMIN. or | /MODIFY-POSIX-USER-DEFAULTS | BS2000 | |
Assign access permission for users on remote computers | USER-ADMIN. or | /SET-LOGON-PROTECTION | BS2000 | |
Enter account number for system access via a remote computer | USER-ADMIN. or | /ADD-USER | BS2000 | "Entering account numbers for system access via a remote computer" |
Remove POSIX users | POSIX-ADMIN. | /MODIFY-POSIX-USER-ATTRIBUTES | BS2000 | |
Remove POSIX users | Root authorization | rmdir | POSIX shell | |
Show information on entries in the user catalog for the own user IDs Read user information in a program | STD-PROCESSING | /SHOW-USER-ATTRIBUTES SRMUINF macro | BS2000 | "SHOW-POSIX-USER-DEFAULTS Display default values for POSIX user attributes" |