IBMUSE account

[aarvalar1]

Hi Everyone,
I have read in the manual that it is best practice to limit access to the IBMUSER account once the mainframe system is operational. But in our shop which is good in shape for so many years now, this account is permitted to many profiles which includes SDSF,OPERCMDS,FACILITY,JESSPOOL,NODES and STARTED class profiles.
Is it good to remove the access from the above resource class profiles? Does it cause any risk?

Regards,
Usha

[Robert Hansel]

IBMUSER should not be in use. It should have the attributes PROTECTED, RESTRICTED, REVOKED, and UAUDIT. It should have an OMVS segment with no UID and an empty TSO segment. It should not have attributes OPERATIONS, SPECIAL, AUDITOR, or ROAUDIT. It should only be connected to group SYS1, and the connection should have the REVOKE attribute and AUTHORITY(USE) instead of AUTHORITY(JOIN). It should not have any permissions whatsoever, not own any profiles, not be specified as the NOTIFY user on any profiles, and not be specified as the assigned user in any STARTED profile or ICHRIN03 entry. There should be no IBMUSER datasets, no IBMUSER DATASET profiles, and no IBMUSER catalog alias. Remove it from the TSO UADS dataset if it has an entry. If it currently has an OMVS UID, confirm this UID is not shared with any other users, and if it is not shared, check the entire Unix File system to find and replace any references to it (Owner, Extended ACLs, file/directory names, and HOME directory).

If IBMUSER has UAUDIT, generate SMF reports confirming it is not being used before locking it down as described above. If it does not have UAUDIT, add this attribute then wait a few months to run the SMF reports. If you have zSecure Access Monitor, use it to generate reports on its activity as further confirmation it is not being used.