[z/OS]

Customization Dialog variables: Common MVS Groups and Users

This topic lists definitions for the terms that you will see in the WebSphere® Application Server for z/OS® Customization Dialog.

Note: If you are setting up a "practice" stand-alone application server, choose the default values wherever possible.

Cell-wide user IDs and groups

The first part of setting up a security domain is to choose the cell-wide user IDs and group names. Each name should contain one to eight alphanumeric characters with an alphabetic first character.
Note: You can also use national characters (#, $, and @), but these are better avoided as they can lead to compatibility problems later.
Each user ID will also require a UNIX® System Services UID number, and each group will require a UNIX System Services GID number:
  • UID values must be unique numeric values between 1 and 2,147,483,647.

    Do not use a UID value of 0.

  • GID values must be unique numeric values between 1 and 2,147,483,647.
Although you can set up several cells using a single security domain definition, you should not share user IDs and groups between separate security domains.

If you have enabled automatic UID/GID selection, (refer to the steps in Preparing the security server (RACF)); you can have RACF choose unused UID or GID values for the SAF users and groups created during customization. In the ISPF Customization Dialog, specify an asterisk for each UID or GID for which RACF is to choose an unused value. In the Profile Management Tool, select the "Allow OS security to assign" checkbox for each UID or GID for which RACF is to choose an unused value.

Choose names and UID values for the following SAF user IDs, and enter them on the worksheet:
WebSphere Application Server Administrator
This user ID is the initial WebSphere Application Server administrator and also owns most of the cell's files in the configuration HFS. It must have the WebSphere Application Server configuration group (below) as its default UNIX System Services group. Certain customization batch jobs must be run under this user ID.
WebSphere Application Server Asynchronous Administration Task
This user ID is used to run asynchronous administration operations procedure. It must be a member of the WebSphere Application Server configuration group.
WebSphere Application Server Unauthenticated User
This user ID is associated with unauthenticated client requests. It is sometimes referred to as the "guest" user ID. It should be given the RESTRICTED attribute in RACF®, to prevent it from inheriting UACC-based access privileges, and it must be a member of the WebSphere Application Server unauthenticated user group (below).
WebSphere Application Server File System Owner
This user ID owns many of the cell's files in the configuration file system. It must have the WebSphere Application Server configuration group (below) as its default UNIX System Services group.
Note: The WebSphere Application Server File System Owner user ID is included in Websphere Application Server Version 6.1 and later. This user ID has a default value of WSOWNER. In earlier versions of the product, the configuration file system is owned by the WebSphere Application Server Administrator user ID, which has a default value of WSADMIN.
Choose names and GID values for the following SAF groups, and enter them on the worksheet:
WebSphere Application Server Configuration Group
This is the default group name for the WebSphere Application Server administrator user ID and all server user IDs. This is the group owner for most files in the configuration HFS, so access to this group should be limited.
WebSphere Application Server Servant Group
Connect all servant user IDs to this group. You can use it to assign subsystem permissions, such as DB2® authorizations, to all servants in the security domain.
WebSphere Application Server Local User Group
Connects all local WAS client user IDs to this group. In unauthenticated user (guest) ID's are required for WebSphere Application Server, they should have this as their default group.

WebSphere Application Server user ID home directory

Note: This field was added to the Customization Dialog in WebSphere Application Server for z/OS Version 6.0.2.1.
WebSphere Application Server user ID home directory
Specify a new or existing z/OS HFS directory in which home directories for WebSphere Application Server for z/OS user IDs will be created by the customization process. This directory does not need to be shared among z/OS systems in a WebSphere Application Server cell. If you use an existing world-writeable directory, you may need to manually set the permissions after WebSphere Application Server customization, which sets the permissions to 755.



Related information
Planning for common groups and users
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 1:23:07 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=rins_defvar1defgrp
File name: rins_defvar1defgrp.html