Security administrator

The security administrator manages the global privileges and controls user administration by designating and dismissing global user administrators, i.e. by assigning individual user IDs the global privilege USER-ADMINISTRATION and withdrawing this privilege. Upon delivery, the privilege SECURITY-ADMINISTRATION is assigned to the user ID SYSPRIV created during first start. The security administrator is the highest-ranking entity for user administration; however, he/she cannot perform any user administration functions.

Global user administration

Global user administration encompasses all global user administrators, i.e. all user IDs to whom the security administrator assigned the global privilege USER-ADMINISTRATION. The global user administrators are authorized to perform privileged user administration functions in that they are entitled to manage all user IDs and user groups on all pubsets, i.e. to

• create, modify or delete user IDs and user groups

• designate, replace or dismiss group administrators

• allocate resources and assign user rights to individual user IDs and user groups and withdraw them again.

Global user administration takes precedence over group-specific user administration (see below). In particular, it is authorized to allocate/assign user IDs and user groups resources and user rights in addition to the existing group potential (see "User groups"). In this context, it is subject to no restrictions other than the physical constraints of the operating system (e.g. maximum of 32,767 group members).

Group-specific user administration (group administrators)

See "User groups".

Designation/dismissal of global user administrators

The security administrator assigns the global privilege USER-ADMINISTRATION to a user ID ’userid’ by means of the following command:

/set-privilege user-id=userid,privilege=user-administration,pubset=...

The user ID ’userid’ is thus designated as the global user administrator. The following command serves to withdraw the global privilege USER-ADMINISTRATION from the user ID ’userid’:

/reset-privilege user-id=userid,privilege=user-administration,pubset=...

The user ID ’userid’ is thus dismissed as the global user administrator.

Notes on global user administrators:

• The global privilege USER-ADMINISTRATION may be recorded on more than one pubset but it does not become effective unless it is recorded on the home pubset of the current BS2000 session.

  Example

  The global privilege USER-ADMINISTRATION is recorded for the user ID ’uid1’ on pubset A but not on pubset B. The system was started with pubset B as the home pubset. The result is that user ID ’uid1’ does not possess the global privilege USER-ADMINISTRATION for this BS2000 session.

• The global privilege USER-ADMINISTRATION authorizes any global user administrator to manage all user groups on all pubsets.

• A global user administrator cannot be designated as the group administrator of a user group because a user administrator by definition has more privileges than a group administrator.