The MVS userid assigned to any TDP using an NP must be defined to the MVS RACF OMVS segment in the user profile to provide a UNIX userid. For IBM's RACF, this may be done in one of three ways:
- For z/OS V1.R13 and older, the BPX.DEFAULT.USER RACF FACILITY class can be used to assign a default UNIX userid to every MVS userid.
- For z/OS V1.R11 and later, the BPX.UNIQUE.USER RACF FACILITY class can be used to request a UNIX userid for any MVS userid without an OMVS segment that accesses a UNIX kernel service. Refer to the z/OS Security Server RACF Security Administrator's Guide available at: http://www.ibm.com/support/knowledgecenter/.
- For any z/OS release, the following RACF commands may be used to associate an existing UNIX userid to an MVS TDP userid:
- ALTUSER mvsusername OMVS(UID(unixuserid))
- ALTGROUP mvsgroupname OMVS(GID(unixgroupid))
where mvsusername is the MVS userid for the TDP, unixuserid is either an existing UNIX userid or the parameter AUTOUID to request that a unique UNIX userid be generated; mvsgroupname is the MVS group name with which the MVS TDP user name is associated; unixgroupid is either an existing UNIX userid or the parameter AUTOGID to request that a unique UNIX userid be generated.
TDP uses UNIX only implicitly to access the network. No explicit UNIX resources such as the shell, applications, or files are used; however, because TDP exits could do such things, the security characteristics for a UNIX userid might need such usage. Refer to the IBM document z/OS UNIX System Services Planning, available at: http://www.ibm.com/support/knowledgecenter/.