RACF users can be made with the ADDUSER command. Because creating a user is a multiple step process with a lot of different RACF commands involved, creating a user via batch is common.
RACF commands can be run in batch with the IKJEFT01 program, which allows you to execute TSO commands in batch. There are also some other programs that will be used for cataloging the user alias (IDCAMS) and creating and formatting a zfs (IOEAGFMT).
The minimum command you can enter is
ADDUSER <userid>
You can also list a user once created to view information about them
LU <userid>
Or delete a user
DELUSER <userid>
Adding a user with the above command doesn’t automatically mean they can log onto a mainframe. To perform certain tasks they need segments and permissions added to their profile, for example,
- TSO login -> needs a TSO segment
- USS/OMVS usage -> needs an OMVS segment
Protected User IDs
A user created without these segments (without the ability to login) is called a ‘protected uid'[1] or sometimes a ‘functional uid’. Protected ids are often used to own and run started tasks, own certificates, and be associated with other things that don’t necessarily need a user to login to use or manage them.
It is good practice to break up tasks and applications into separate protected uids and not have them associated with a real user, as that user may become revoked and all the services associated with them will cease to function. Protected uids are non-revokable by time passing or by incorrect passwords entered. So it is safer to run mission critical applications under a protected uid.
Creating an interactive user
To create a user that can be logged onto you need to add a TSO segment as below – it is also best practice to give the account details like the users full name, a default security group, and an owner. If these are not provided, default group will be set as the creators default group, and the owner will be set as the creator (where creator is the person running the commands). You also need to provide them a temporary password for first login, or their uid will be created as a protected one.
ADDUSER <userid> DFLTGRP(<groupid>) OWNER(<ownerid>) NAME(‘<firstname lastname>’) PASSWORD (<temp password>)
Adding a TSO Segment
By creating the TSO segments with additional parameters, we can have fields in the TSO login screen auto-populate for the user.
ACCTNUM – must be already defined to RACF in the ACCTNUM resource class and the uid must have read access to it. This can be added with the command: PE <account number> CL(ACCTNUM) ID(<userid>)
PROC – for the default logon procedure, more on logon procedures can be found in this post.
MAXSIZE – the maximum session size the user is allowed to allocate to themselves on logon in kb (kilobytes). The largest possible session size is 2096128 kb, or approx. 2 gb.
TSO(ACCTNUM(<account number>) PROC(<default logon proc>) MAXSIZE(<maximum session size>))
Adding an OMVS Segment
The same can be done to add the OMVS segment. Like traditional UNIX, a UID of 0 can be set to grant super user – or any other number for a regular user.
OMVS( HOME(/u/<lowercase userid>) UID(1000) SHARED PROGRAM(/bin/sh))
A full example job to make a user ID
//ADDUSER JOB ,’add user’,
// MSGCLASS=X,CLASS=A,NOTIFY=&SYSUID
//ADD EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *,SYMBOLS=(EXECSYS,SYMPRINT)
AU SAMPU –
NAME(‘Sample User’) –
OWNER(SYS1) –
DFLTGRP(SYS1) –
PASSWORD(password)
TSO(
ACCTNUM(ACCT#)
HOLDCLASS(X)
JOBCLASS(A)
MSGCLASS(X)
PROC(ISPFPROC)
SIZE(2096128)
MAXSIZE(2096128)
SYSOUTCLASS(X)
COMMAND(ISPF)
)
OMVS(
HOME(/u/sampu)
UID(0)
SHARED
PROGRAM(/bin/sh)
)
/*
This will make the user ID, we should also do a couple of other things so they can create mainframe datasets under their userid, have secure datasets and use their omvs segment.
Add their userid as a related alias to your systems user catalog if it has one (it is best practice). The users datasets will then be catalogued on the user catalog.
//DEFALIAS EXEC PGM=IDCAMS
//SYSPRINT DD SYSOUT=*
//SYSIN DD *,SYMBOLS=(EXECSYS,SYMPRINT)
DEFINE ALIAS –
( –
NAME(SAMPU) –
RELATE(<user catalog name>) –
) –
CATALOG(<master catalog name>)
/*
Protect their userid qualified datasets with RACF. Allow other users none or minimal, controlled access to the users datasets.
//DEFRACF EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *,SYMBOLS=(EXECSYS,SYMPRINT)
ADDSD ‘SAMPU.*’ GENERIC UACC(NONE)
PERMIT ‘SAMPU.*’ GENERIC ID(SAMPU) ACCESS(ALTER)
/*
Create a ZFS for their unix data and make sure to format it. This should be mounted at the user home directory listed above in the profiles omvs segement, which will need to be created if it has not been already. Some systems may have automation set up to automount user directories to USS.
//DEFZFS EXEC PGM=IDCAMS
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//AMSDUMP DD SYSOUT=*
//SYSIN DD *,SYMBOLS=(EXECSYS,SYMPRINT)
DEFINE CLUSTER (NAME(SAMPU..USER.ZFS) –
ZFS –
CYL(5 5) SHAREOPTIONS(3))
/*
//CREATZFS EXEC PGM=IOEAGFMT,REGION=0M,
// PARM=(‘-aggregate SAMPU.USER.ZFS -compat’)
//SYSPRINT DD SYSOUT=*
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//CEEDUMP DD SYSOUT=*
[1] Defining Protected User IDs
More about the available parameters that can be used with ADDUSER and the TSO and OMVS segments can be found in IBMs documentation.
Return 16 
Leave a comment