GID - Group Identifier
A Group Identifier (GID) in z/OS is a numeric value assigned to a **RACF group profile** that uniquely identifies a group of users for security and access control purposes, particularly within the **z/OS UNIX System Services (USS)** environment. It enables the collective management of permissions for resources, allowing all members of a group to inherit the same access rights.
Key Characteristics
-
- Numeric Value: A GID is a positive integer, typically ranging from 1 to 2,147,483,647 (a signed 31-bit integer), though RACF usually supports up to 9 digits.
- RACF Integration: GIDs are defined and managed within RACF group profiles using the
ADDGROUPorALTGROUPcommands with theOMVS(GID(nnnn))parameter. - Inheritance: Users connected to a RACF group inherit the group's GID, which becomes part of their security context (ACEE - Accessor Environment Element) when interacting with USS.
- USS Permissions: In z/OS UNIX, GIDs are crucial for defining and enforcing file and directory permissions, determining which groups can read, write, or execute specific resources.
- Primary vs. Supplementary: A user can have a primary GID (from their primary RACF group) and multiple supplementary GIDs (from other groups they are connected to), all of which contribute to their effective permissions.
- System-Wide Uniqueness: While not strictly enforced across all systems, it's best practice to ensure GIDs are unique within an enterprise for consistency, especially in shared environments like NFS.
Use Cases
-
- Collective File Access: Granting a team of developers read/write access to a specific set of source code files or project directories in z/OS UNIX by assigning a common GID to their group.
- Application Resource Control: Ensuring that a specific application (running under a dedicated user ID) and its associated batch jobs have appropriate permissions to its configuration files and logs in USS.
- Administrative Roles: Defining a group for system administrators (e.g.,
SYSADM) with a specific GID that grants them elevated privileges to manage system-level USS directories and utilities. - Default Permissions: Setting a default GID for newly created files and directories by users, ensuring that new resources automatically inherit appropriate group ownership and permissions.
- Cross-Platform Integration: Facilitating interoperability with distributed UNIX/Linux systems or NFS mounts where GIDs are used to map user and group identities across platforms.
Related Concepts
GIDs are intrinsically linked with RACF, which is the security manager responsible for defining and maintaining group profiles and their associated GIDs. They work in tandem with UIDs (User Identifiers), where a UID identifies an individual user and a GID identifies a group, both being fundamental for identity and access management within z/OS UNIX System Services (USS). The user's GID information is stored in their ACEE (Accessor Environment Element), which is built by RACF during logon and used by USS to determine access rights.
- Structured GID Assignment: Implement a consistent numbering scheme for GIDs (e.g., specific ranges for applications, departments, or administrative roles) to simplify management and avoid conflicts.
- Principle of Least Privilege: Assign users to groups with only the necessary GIDs required for their job functions to minimize potential security exposures.
- Regular Auditing: Periodically review RACF group profiles and their associated GIDs, along with the membership of these groups, to ensure they align with current security policies and operational needs.
- Documentation: Maintain comprehensive documentation of GID assignments, their purpose, and the resources they control, especially for critical system or application groups.
- Avoid GID 0: While technically possible, avoid assigning GID 0 to standard user groups, as GID 0 typically represents the
rootgroup in UNIX-like systems and carries superuser privileges, which should be reserved for highly restricted administrative functions.