Environment: running z/OS V2R1, using profiles BPX.NEXT.USER and BPX.UNIQUE.USER, the BPXMODEL profile is set up correctly (with HOME as /u/&racuid), and all users are automount manged under /u/ and the system dynamically creates and mounts the OMVS user's file system.
New userid is added to RACF with no OMVS segment and neither it nor its GROUP is in any access list. Using an ssh client, I attempt to sign in to my z/OS host and it succeeds. The userid now has an OMVS segment and a mounted file system. That's great for adding new users that are members of our IT department, etc. But there are thousands of non-IT userids that exist in RACF for business purposes (users of CICS or IMS, etc.) and they have been in RACF for years with no OMVS segment. These days, a lot of that access is via browser or TN3270 clients on a PC of some type. A PC where an ssh client or putty could be used to attempt to access the z/OS host. Have I missed something? This seems to be a security issue to me. Other than going out and adding OMVS(NOUID) to a LOT of RACF USER profiles (which disables the dynamic creation of a new OMVS segment), what else is available to control this? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
