A Unix/Linux user is not restricted to one group. A Unix/Linux user has
a primary group and is typically created with a unique group ID number
with same name and same ID number associated with the user. After
creation, the user may be connected to multiple additional groups and
gain access to resources associated with those groups. It is likely
that a Linux user may have a much lower max number of connected groups
than RACF, but that might not be a problem.
An Access Control List can also be associated with a file or directory
so that access may be granted to multiple users and multiple groups, not
just to one user, one group, and other.
That being said, trying to create some kind of correspondence between
unix and RACF groups would be a mess, because both environments have
their own conventions with many default usernames, default group names,
default paths to files, and historical conventions of what should be
protected and how. Even if you just restricted any correspondence to
user and application files, you would probably have to accept that group
names corresponding to the same work role might have to be different in
the two environments.
If possible to set up a useful correlation, it would take some serious
effort and hit against the same resistance as any proposed change to
installation standards.
JC Ewing
On 10/9/24 12:51, Mike Schwab wrote:
It would be nice if RACF groups a *nix groups were correlated but *nix
a user is in one group while a RACF Id is in many groups.
On Wed, Oct 9, 2024 at 6:18 AM Lionel B. Dyck
<[email protected]> wrote:
Thank you - I've added your comments to the IBM Idea.
Lionel B. Dyck <><
Github: https://github.com/lbdyck
System Z Enthusiasts Discord: https://discord.gg/sze
“Worry more about your character than your reputation. Character is what you
are, reputation merely what others think you are.” - - - John Wooden
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Joel Ewing
Sent: Tuesday, October 8, 2024 9:13 AM
To: [email protected]
Subject: Re: IBM Idea - add sudo to IBM's OEF
Including, of course, adding suitable RACF profiles to control what groups or users are authorized to use the
"sudo" command, what user identities they are allowed to change to, and which of those users or
groups are required to supply a password associated with the new identity. Those kinds of controls exist
for the "su" and "sudo"
commands in the Linux world.
JC Ewing
On 10/8/24 08:11, Lionel B. Dyck wrote:
Please consider, if you are able, to vote and/or add supportive
comments to this IBM Idea to add sudo to the IBM Open Enterprise
Foundation (OEF) package
https://ibm-z-software-portal.ideas.ibm.com/ideas/OEF-I-5
Lionel B. Dyck <><
Github: https://github.com/lbdyck
System Z Enthusiasts Discord: https://discord.gg/sze
“Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are.” - - -
John Wooden
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to [email protected] with the message: INFO IBM-MAIN
--
Joel C Ewing
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
--
Joel C Ewing
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
