GROUP Entry Monitoring

Controlling Access › GROUP Entry Monitoring

GROUP Entry Monitoring

With USS, you can assign valid groups by adding a value with the keyword OMVSGRP, for example:

TSS ADD(usracid) GROUP(MODERNE)
                 DFLTGRP(MODERNE)

TSS ADD(usracid) GROUP(KLUTZ)

TSS ADD(usracid) GROUP(KLUGE)

When a user signs onto a multi-user facility (for example, IMS, CICS, TSO), they are given the option to specify a group. In CICS, you may specify GROUP as part of the CESN sign on transaction. In IMS, you may specify GROUP as part of the /SIGN sign on command. In TSO, you may specify GROUP as part of the standard sign on information.

In other security implementations, the assignment of GROUP is required. In CA Top Secret:

When you specify GROUP, it is checked against the available OMVSGRP assignments and then against the IBMGROUP permissions. The resulting list of groups constitutes the list of valid groups for that user. If GROUP is validated against one of these entries, the GROUP that you specified at sign on is passed in its entirety to the session. If the GROUP specified by the sign on is not valid for the user, the group is altered to “*” and the sign on is allowed to proceed. This action can lead to problems later if the user intends to use Unix Systems Services, because no GID is assigned to the session. If OPTION(69) is set and the GROUP specified is not valid, the signon fails.
If you do specify a GROUP as part of the signon parameters, if DFLTGRP is available, it is substituted into the signon parameter string. If DFLTGRP specified is one of the valid groups assigned to the user, it is passed to the session and the signon is allowed. A valid entry without a GID can lead to problems with USS access. If the DFLTGRP that you specify is an invalid group for the user, CA Top Secret substitutes an “*” for the GROUP in the signon; the signon is allowed to proceed, regardless of OPTION(69). If no DFLTGRP is available, CA Top Secret substitutes “*” in the GROUP parameter. The signon is allowed to proceed regardless of OPTION(69).