<snip> Unless I am missing something, how is it a security issue? You had to logon with an id and password. It can access its own home directory, and was created based on a template I am assuming you or someone in your shop setup. </snip>
Agreed! <snip> Environment: running z/OS V2R1, using profiles BPX.NEXT.USER and BPX.UNIQUE.USER, the BPXMODEL profile is set up correctly (with HOME as /u/&racuid), and all users are automount manged under /u/ and the system dynamically creates and mounts the OMVS user's file system. New userid is added to RACF with no OMVS segment and neither it nor its GROUP is in any access list. Using an ssh client, I attempt to sign in to my z/OS host and it succeeds. The userid now has an OMVS segment and a mounted file system. That's great for adding new users that are members of our IT department, etc. But there are thousands of non-IT userids that exist in RACF for business purposes (users of CICS or IMS, etc.) and they have been in RACF for years with no OMVS segment. These days, a lot of that access is via browser or TN3270 clients on a PC of some type. A PC where an ssh client or putty could be used to attempt to access the z/OS host. Have I missed something? This seems to be a security issue to me. Other than going out and adding OMVS(NOUID) to a LOT of RACF USER profiles (which disables the dynamic creation of a new OMVS segment), what else is available to control this? </snip> This is the defined function of BPX.NEXT.USER/BPX.UNIQUE.USER If you really want to restrict OMVS access, set the OMVS PGM to "FALSE" in the MODEL user id. HTH, ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
