Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Setting up a user group structure

A user group structure should always be set up to match the existing local conditions. Forming a group must always be planned carefully in order to provide precisely the system environment required by the group members. Only exact analysis of the group’s requirements can result in a logical and useful security strategy. Basically, it can be said that only user IDs and applications whose system requirements are very similar should be combined to form a group. If the requirements of the user IDs and/or applications differ widely, then the number of privileges which must be assigned to the group will be greater than would be desirable for a secure system.

The following are typical objectives for setting up user groups:

  • combining user IDs and applications according to various criteria (e.g. separation, shared files etc.) on different pubsets

  • defining data access control mechanisms for objects (e.g. files)

  • defining quotas or presettings for the allocation of system functions and system resources

  • defining the organization of user administration.

Pubset-specific setup of a user group structure

User group structures are always set up on a pubset-specific basis, i.e. each pubset has its own user group structure. Each user group created on a pubset is always a subgroup of an already existing user group. This means that user group structures can be set up as singlelevel or multi-level hierarchies with the *UNIVERSAL user group as the root. The user group structure of a pubset is recorded in the pubset’s user catalog.

The user group structures of different pubsets may be set up according to different criteria. It should be borne in mind, however, that during a BS2000 session, it is always the user group structure of the home pubset which is used as the current user group structure. User group structures on data pubsets should therefore be set up with an eye to the management of pubset-specific attributes.

Pubset-specific organization of user administration

The user group structure of a pubset is used for the management of the user groups and user IDs of that pubset. The user group structure that exists on the home pubset is always the current group structure. User group structures on data pubsets need not be set up unless standby pubsets are to be maintained or pubset-specific attributes are to be managed.

System access control for user IDs during a BS2000 session

When setting up the user group structure on the pubset to be used as the home pubset, the group potentials and the assignment of user IDs to the user groups on these pubsets should be geared to the requirements of the users and applications involved.

During LOGON validation, the entry for the user ID on the home pubset of the current BS2000 session is checked. When system access is granted, those attributes defined for the user ID on the home pubset take effect. Consequently, when another pubset becomes the home pubset, it is possible that the same user ID may be assigned different attributes or even that a different LOGON access control may take effect. This means that it is the entry for a user ID on the home pubset that uniquely defines the user ID, i.e. that the same name for a user ID on different home pubsets may refer to different user IDs.

Data access control for system-specific objects

The user group structure of the current home pubset is used for data access control, in particular to ascertain which group a user ID is a member of or which group a user group is a subgroup of before granting access to files or job variables or system-specific objects (e.g. memory pools).

Pubset-specific definition of available disk storage space

The characteristics of the group potential PUBLIC-SPACE-LIMIT and PUBLIC-SPACE-EXCESS define the limits within which a user ID is authorized to create files on this pubset: When files and job variables are to be created on a pubset, the appropriate attributes of the user ID of the specified name on this pubset are evaluated. This may cause the creation request for a file/job variable to be rejected.

Assignment of access rights for user IDs regulating access to files or job variables

The assignment of access rights for user IDs which regulate their access to files or job variables is always determined by the user group on the home pubset of the current BS2000 session of which a user ID is a member.

Summary

The user group structure of the home pubset is used for checking access to files or job variables. This is the user group structure that is generally valid for the current BS2000 session.

Additional user group structures may be set up on data pubsets for administrative purposes, i.e. to manage pubset-specific attributes and to create and maintain pubsets to be used as home pubsets (standby pubsets).

Designation/dismissal of group administrators

A global user administrator or a superordinate group administrator can designate a user ID ’userid’ as the group administrator with the command :

/add-user-group ..., group-administrator=userid [,adm-authority=...]

or

/modify-user-group ...,group-administrator=userid [,adm-authority=...]

In an existing group, a different user ID is designated as the group administrator with the command

/modify-user-group ...,group-administrator=userid

The group administrator of an existing group is dismissed with the command

/modify-user-group ...,group-administrator=*none

Powered by Atlassian Confluence and Scroll Viewport.