ACF2 does not have a limit to the number of Logonids that can have a UID of 0.
ACF2 does not enforce a limit to the number of logonids that can have a
UID of '0'; however, as a general recommendation for auditability, sites
should limit the number of logonids that have UID '0'.
To do so, sites can implement controls by securing BPX.SUPERUSER and
utilizing Superuser Granularity rules.
The ability to switch to superuser status is controlled through the
FACILITY class resource BPX.SUPERUSER. To control which users have
the ability to use the su command, add rule entries to the BPX
FACILITY resources rule, similar to this one, as appropriate:
SUPERUSER UID(user_uid) ALLOW
Specific superuser functions can be secured via superuser granularity
using resource rules in the UNIXPRIV class:
Controlling Superuser Functions
OMVS requires that users performing certain functions have a UID(0)
or superuser status. Once a user is given superuser status, they have
complete access to the system. The UNIXPRIV class allows specific
control of the individual functions performed by a user with superuser
authority. This is referred to as superuser granularity.
Using the UNIXPRIV class means that a user does not need superuser
authority to perform an individual function from the above table.
When a user attempts to perform the function without a UID(0) or
superuser authority, CA ACF2 issues a resource check to see if that
user is allowed to perform the function. If the resource rule allows
access to the resource associated with the function, the user is
allowed to perform the function even though they do not have UID(0).
The following example shows a rule that allows USERA to read all HFS
files, change the ownership of any file, and see all processes using
the ps command:
ACF75052 RESOURCE RULE SUPERUSER STORED BY USER01 ON 05/04/99 - 12:26
FILESYS UID(usera) SERVICE(READ) ALLOW
FILESYS.CHOWN UID(usera) ALLOW
PROCESS.GETPSENT UID(usera) ALLOW
ACF75051 TOTAL RECORD LENGTH = 268 BYTES, 6 PERCENT UTILIZED
A detailed list of UNIXPRIV resources can be found in the CA ACF2 for
z/OS Administration Guide in Chapter 23: Starting CA ACF2 in a z/OS UNIX
System Services Environment section 'Controlling Superuser Functions'.