IronSphere Agent: Why is UID(0) needed?
IronSphere checks run as Rexx execs under control of System Rexx. System Rexx execs run with the identity of the entity that start them. In this case, this is the Health Checker.
IBM requires the Health Checker user-id (ACID in terms of Top Secret or LID if ACF2) to have either UID(0) or defined as superuser (i. e. be able to use SU to switch identity to root. At startup, if the health Checker associated User-id is defined as a root (UID(0)), it will switch to it immediately.
IronSphere runs as a z/os task and use Unix System Services (USS) at the command level. It can't switch at the beginning of the task to root as it is not performing under unix most of the time.
Below are the instructions titled "Setting up security for the IBM Health Check for Z/OS started task" from Z/OS 2.2 version of the "IBM Health Checker for Z/OS User's Guide" manual:
You must set up security for IBM Health Checker for z/OS the same way you would for any other started task. To do this task with RACF®, do the following steps:- Create a user ID for IBM Health Checker for z/OS and connect the superuser user ID to a group. Define the user ID with:
- Superuser authority using either:
- A home directory of HOME('/')
- A program of PROGRAM('/bin/sh')