Who Can Run MAKEUSER?

Any user can run MAKEUSER, but only appropriately privileged users can use it to control all usercode attributes for all users. In the following discussion, the phrase “to run MAKEUSER and interrogate or modify the USERDATAFILE” refers to the capability to control all usercode attributes for all users.

If no USERDATAFILE exists on your system, any user can run the MAKEUSER utility to create the USERDATAFILE. With the single exception noted in the following text, once a USERDATAFILE exists, a user must have either USERDATA or privileged-user status to run MAKEUSER and interrogate or modify the USERDATAFILE.

When the following conditions are both met, only a user running under a usercode with the SECADMIN or USERDATA usercode attribute specified is permitted to run MAKEUSER and interrogate or modify the USERDATAFILE:

  • The system SECADMIN option is TRUE.

  • At least one usercode is specified SECADMIN in the USERDATAFILE.

The term security administrator is used in this part of the guide to refer to an individual capable of running MAKEUSER and altering or interrogating the USERDATAFILE.

Unless the file SYSTEM/MAKEUSER is a private file or has a guard file attached to it, any user, regardless of his or her status, can run SYSTEM/MAKEUSER.

However, MAKEUSER can alter or interrogate the contents of the USERDATAFILE—define a new usercode or make a usercode privileged, for example—only under the following circumstances:

  • If MAKEUSER is running as a process with USERDATA privilege or privileged status

  • When security-administrator status is enabled, if MAKEUSER is running as a process with security-administrator status

If you run MAKEUSER as a process without USERDATA privilege or privileged status (or without security-administrator status if appropriate), you can perform the following actions if the USERDATAFILE contains attribute modification privileges. The first two actions are relevant only if security-administrator status is enabled.

  • A privileged user can interrogate all user entries and view the contents of all attributes except for a password list.

  • A privileged user can alter, for any user, any attribute that has been designated as modifiable by PU.

  • A nonprivileged user can interrogate his or her own user entry, and view the contents of all attributes except for a password list.

  • A nonprivileged user can alter any attribute that has been designated as modifiable by OWNER, in his own entry.

If MAKEUSER is not running as a process with the correct status, any attempt to alter or interrogate the USERDATAFILE results in a security violation that is logged and the termination of the MAKEUSER program.

MAKEUSER runs as a privileged process in the following situations:

  • A user with a privileged usercode initiates MAKEUSER.

  • The file SYSTEM/MAKEUSER is marked as a privileged program with the MP (Mark Program) system command.

MAKEUSER runs with security-administrator status in the following situations:

  • A user with security-administrator status initiates MAKEUSER.

  • The file SYSTEM/MAKEUSER is marked with security-administrator status with the MP system command.

MAKEUSER runs with USERDATA privileges in the following situations:

  • A user with USERDATA privileges initiates MAKEUSER.

  • The file SYSTEM/MAKEUSER is marked with security-administrator status with the MP system command.

It is recommended that you not use the MP (Mark Program) system command to assign privilege to the SYSTEM/MAKEUSER file.

Prev  Up  Next
MAKEUSER Utility  Home  Running MAKEUSER