SRPM includes commands which permit user IDs to be explicitly combined in user groups. Any user ID that is not explicitly assigned to a defined user group is automatically a member of the default user group *UNIVERSAL.

Whenever objects are accessed, it is the group structure on the home pubset that is used to ascertain the group membership. Pubset-specific group structures (i.e. group structures on pubsets other than the home pubset) are set up for administrative purposes only (see "Restricting utilization of users' resources").

Definition of user groups

A BS2000 user group is a combination of BS2000 user IDs. Each user group is identified by a name, the group ID. The group ID is recorded in the user catalog of a pubset. Any one user group may be entered on more than one pubset with different attributes. Note, however, that access authorizations are always checked against the group structure on the home pubset. The following data referring to a user group is entered in the user catalog:

• group description data (group ID, position within the group structure on that pubset, group administrator). A group prefix can be specified for each group. This restricts the name selection possibilities insofar as the names of all subgroups of this group must begin with the specified prefix. In this manner, it is possible to position a group within a hierarchy with the aid of its name.

• group members (user IDs assigned to a user group). Just as for the group, it is possible to specify that the names of the group members must begin with a specific prefix. When the group administrator is nominated, the name prefixes he/she may assign are defined.

• group potential (resources and rights assigned to a user group that can be passed on to the members of that group or any subordinate user group).

  The group potential is subdivided into:

  1. elements that are subject to booking

     • maximum number of subgroups of a user group (MAX-SUB-GROUPS)

     • maximum number of members of a user group and its subgroups
       (MAX-GROUP-MEMBERS)

  2. elements that are not subject to booking

     • group administrator privilege (ADM-AUTHORITY) with its variants
       MANAGE-MEMBERS, MANAGE-RESOURCES, MANAGE-GROUPS)

     • account numbers (ADD-ACCOUNT) with potential resources for:

       CPU limit	(CPU-LIMIT, NO-CPU-LIMIT)
       spoolout class	(SPOOLOUT-CLASS)
       permissible run priority	(MAX-ALLOWED-PRIORITY)
       permissible task category	(MAX-ALLOWED-CATEGORY)
       scheduling priority	(START-IMMEDIATE)
       task (de)activation	(INHIBIT-DEACTIVATION)

     • creation of user-specific accounting record (MAX-ACCOUNT-RECORDS)

     • exceeding the PUBLIC-SPACE-LIMIT (PUBLIC-SPACE-EXCESS)

     • maximum public space (PUBLIC-SPACE-LIMIT)

     • magnetic tape access (TAPE-ACCESS)

     • file auditing (FILE-AUDIT)

     • use of memory pool protection (CSTMP-MACRO)

     • test privileges (TEST-OPTIONS)

     • use of BS2000 profiles (ADD-PROFILE-ID)

     • available address space (ADDRESS-SPACE-LIMIT)

     • number of resident memory pages (RESIDENT-PAGES)

     • number of creatable files (FILE-NUMER-LIMIT)

     • permitted number of job variables (JV-NUMBER-LIMIT)

     • maximum temporary storage space (TEMP-SPACE-LIMIT)

Example: Output of the attributes of a user group

The root of the group structure: *UNIVERSAL

The user group *UNIVERSAL is automatically created on the home pubset at first startup. It is the root of the group structure on this pubset. After the first startup, the user group *UNIVERSAL contains all the user IDs created by the operating system. None of the restrictions governing the group administrator privilege and the group potential apply to this user group except those imposed by physical constraints.

The user group *UNIVERSAL has no implicitly defined group administrator; i.e. the group administrator, if desired, must be defined explicitly. The group administrator privilege of the user group *UNIVERSAL is always MANAGE-GROUPS and its group administrator can therefore manage all user IDs and user groups on the corresponding pubset.

Example: Attributes of the user group *UNIVERSAL with group administrator and one subgroup

When a new pubset is created and added to the system, the user group *UNIVERSAL is created on the new pubset as well. The user IDs listed above are again assigned to that user group.

Subgroups

All other user groups must be created explicitly. Any user group other than *UNIVERSAL is always a subgroup of an already existing user group (e.g. *UNIVERSAL) and may itself have other subgroups, i.e. a group structure may form a hierarchy.

Group structure

Each group structure is pubset-specific and is stored in the user catalog of the pubset on which it is created. The group structure of the home pubset is used to ascertain the group membership of any user ID that requests access to either system-specific objects (e.g. memory pools) or pubset-specific objects (files, job variables).

Group members

Each user ID is assigned as a member of one – and only one – user group. Each user group has no, one, or more than one group member(s) (i.e. user IDs). The members of subgroups are not regarded as members of the higher ranking group.

Group administrators

Group-specific user administration is performed by the group administrators. Group administrators are user IDs for which the group administrator privilege has been entered in the group potential of their user group. Group administrators can be designated or dismissed only by global user administrators or the group administrator of a user group that, according to the defined group structure, is superordinate to his own user group.

The group administrator privilege is part of the potential rights belonging to the user group and can be assigned to only one user ID of the group. The group administrator privilege thus differs from the global (system administrator) privileges and the general user rights in that it is assigned on a user group basis instead of on a user ID basis.

A user group may (but need not) have a group administrator. Any user ID that possesses the global privilege USER-ADMINISTRATION is implicitly authorized to manage user groups. A global user administrator must not, however, be designated as the group administrator of a user group, since a global user administrator always has more privileges than a group administrator. Each user group has one – and only one – directly assigned group administrator.

There are three variants of the group administrator privilege; these form the following hierarchy:

• MANAGE-RESOURCES (lowest privilege)

• MANAGE-MEMBERS

• MANAGE-GROUPS (highest privilege)

MANAGE-RESOURCES

The group administrator privilege variant MANAGE-RESOURCES authorizes the group administrator to manage the user IDs of his or her own user group as well as of user groups of the subordinate group structure, taking due account of the group potential of resources and user rights defined for the user group. Group administrators can also authorize user IDs which are not group members to access the group’s files and job variables provided that these are not protected by the BACL. The permitted activities are restricted to existing user IDs and user groups. This means that a group administrator possessing the MANAGE-RESOURCES privilege variant is not authorized to modify the existing group structure or the assignment of group members or to create new user IDs or user groups.

The following commands are available to group administrators with the MANAGE-RESOURCES privilege:

MANAGE-MEMBERS

The group administrator privilege variant MANAGE-MEMBERS implies the MANAGE-RESOURCES variant. It additionally authorizes the group administrator to modify his or her own user group and its subordinate group structure by creating, reassigning and deleting group members.

The following commands are available to group administrators with the MANAGE-MEMBERS privilege:

MANAGE-GROUPS

The group administrator privilege variant MANAGE-GROUPS implies the
MANAGE-MEMBERS variant. It additionally authorizes the group administrator to modify the group structure subordinate to his or her own user group by creating, reassigning and deleting subgroups.

The following commands are available to group administrators with the MANAGE-GROUPS privilege

The privilege variant assigned to a group administrator is always valid for the pubset on which the user group is entered, and only for this pubset.

All activities of a group administrator always refer either to his or her own user group (activities related to the management of group members) or to subordinate user groups of the same pubset (activities related to the management of subgroups and their group members), but never to superordinate user groups or user groups of other pubsets.

The group potential of a user group and in particular the group administrator privilege variant cannot be defined or modified except by a superordinate group administrator or a global user administrator.

It is not mandatory to designate a group administrator for a user group. Any user group for which no group administrator has been defined is managed by a superordinate group administrator or a global user administrator.

Changing the home pubset

The home pubset and the standby pubsets should be carefully maintained during any BS2000 session. Since the user group structure on the home pubset is used for access control, the user group structures on the standby pubsets should be updated so that they are always identical with the group structure on the home pubset. Special caution should be exercised when changing the home pubset or using the home pubset on another computer. If the user group structures are not identical, such a change in the system environment may lead to different results being produced by access control.