Can CA-Top Secret utilize the UNIXPRIV SHARED.IDS resource to assign the same UID to multiple ACIDs?

Document ID : KB000014281
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Can CA-Top Secret utilize the UNIXPRIV SHARED.IDS resource to assign the same UID to multiple ACIDs?

 

Answer:

With CA Top Secret, UID 0 is the only UID that can be given to more than one user All other UIDs must be unique.

From the CA Top Secret Cookbook:

A UID is required for all ACIDs in USS. 
CA Top Secret will not allow a UID to be given if it is already assigned to another ACID. A UID defined with a value of zero indicates that this user is a superuser. UID(0) is the only UID that can be given to more than one ACID.

The following regarding sharing UIDs is from the z/OS Security Server RACF Security Administrator's Guide:

Controlling the use of shared UNIX identities 
When you allow users to share UIDs, you lose the ability to control user access at an individual level. Users of a shared UID are treated as the same user during z/OS UNIX security checks.

Guideline: Avoid using shared (non-unique) UIDs and GIDs because they result in the loss of user accountability and decrease security. If shared UIDs and GIDs already exist at your installation, make an effort to minimize their use. Use the IRRDBU00 reports called "UIDS" and "GIDS" to find occurrences of shared IDs, and change them to unique IDs where appropriate.