Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Global user administration (USER-ADMINISTRATION)

Global user administration is authorized to perform user and user group management actions on any local pubset and for any user or user group. There are no restrictions to the allocation of resources and the assignment of privileges (such as START-IMMEDIATE, NO-CPU-LIMIT,...) to user IDs and user groups.

All functions of POSIX user administration are allowed to be executed in the case of the POSIX user attributes.

Upon delivery, the privilege USER-ADMINISTRATION is assigned to the user ID TSOS. The security administrator may assign it to any other user ID (except his/her own).

The following facilities are available to the user administration:

  • the program interfaces SRMUINF (SVC 185), GETUGR and SRMSUG (SVC 49) for all user IDs, groups and pubsets

  • the following commands for all user IDs or user groups and all pubsets:

    ADD-USER

    ADD-USER-GROUP

    MODIFY-USER-ATTRIBUTES

    MODIFY-USER-GROUP

    REMOVE-USER

    REMOVE-USER-GROUP

    LOCK-USER

    UNLOCK-USER

    SHOW-USER-GROUP

    SHOW-USER-ATTRIBUTES

    MODIFY-POSIX-USER-ATTRIBUTES

    SHOW-POSIX-USER-ATTRIBUTES

    SET-LOGON-PROTECTION

    MODIFY-POSIX-USER-DEFAULTS

    MODIFY-LOGON-PROTECTION

    SHOW-POSIX-USER-DEFAULTS

    SHOW-LOGON-PROTECTION

    MODIFY-POSIX-USER-DEFAULTS

    MODIFY-LOGON-PROTECTION

    SHOW-POSIX-USER-DEFAULTS

    SHOW-LOGON-PROTECTION


The user catalog of a pubset is opened when the pubset is imported and remains open until the pubset is exported. Users therefore have no direct access to the user catalog (i.e. access via interfaces other than the ones listed above).

No user ID may simultaneously possess both the USER-ADMINISTRATION privilege and the group administrator privilege for one and the same pubset. It is, however, permissible for a user ID to act as a global user administrator (i.e. possess the USER-
ADMINISTRATION privilege on the home pubset) and as a group administrator on an imported pubset.

Since any user ID possessing the USER-ADMINISTRATION privilege is authorized to define system access control for all user IDs of the system, it is in a position to access any other user ID, in particular to the privileged ones (e.g. the user ID of the security administrator). This means that such a user ID would be able to perform functions for which it has not been authorized since they do not fall within the scope of the user administrator functions. In cases like this, monitoring by means of SAT logging is particularly useful (see the “SECOS - Security Control System - Audit” manual [1]).

The privilege “global user administration” is referred to as USER-ADMINISTRATION in commands and messages and as USERADM in macros.

Powered by Atlassian Confluence and Scroll Viewport.