If an MVS™ operator command is not RACF-protected
(for example, if the RACF® OPERCMDS class is not active,
or if no OPERCMDS profile covers the command), the authority to issue
the MVS command is granted based on the command group.
There are five command groups:
- Informational commands (INFO)
- System control commands (SYS)
- I/O control commands (IO)
- Console control commands (CONS)
- Master level authority commands (MASTER)
If RACF is used to control who can
issue commands, the RACF OPERCMDS settings override
the command group (AUTH) settings. For example, if the user has access
to the correct OPERCMDS profile, a job submitted in a class with AUTH(INFO)
will issue a MODIFY command. Similarly, if the user does not have
access to the proper OPERCMDS profile, a job submitted in an AUTH(ALL)
jobclass will be unable to issue a MODIFY command.
The commands in each group are shown in Table 1.
The command groups are ordered from the lowest to the highest JES
authority level, as described in z/OS JES2 Commands or z/OS JES3 Commands.
You can enter informational commands from any full-capability console.
However, to enter system control, I/O control, or console control
commands from a secondary console, that particular command group must
be assigned to that console. If you enter a command at a console
where it is not authorized, MVS rejects the command and sends
an error message to the issuing console.
At a master authority console,
you can enter all operator commands. Any console with AUTH(MASTER)
in the CONSOLxx parmlib member has master authority.
Using RACF, the installation can allow
the operators to log on to any MCS, HMCS or SMCS
console. IBM® recommends logon for SMCS. The operator’s RACF profile
and group authority determines what commands can be issued from the
console. For a list of MVS commands and their profile names,
see MVS commands, RACF access authorities, and resource names.
Table 1. Command groups used to
determine command authority| Command group |
Command |
Command |
|---|
| INFO |
CMDS DISPLAY
CMDS SHOW
CONTROL (See Notes)
DEVSERV
DISPLAY (See Notes)
LOG
LOGOFF
LOGON
MONITOR
|
REPLY (See Notes)
ROUTE
SEND
STOPMN
|
| SYS (system control) |
ACTIVATE
CANCEL
CHNGDUMP
DUMPDS
HALT (See Note 2)
HOLD
LIBRARY
MODE
MODIFY
PAGEADD
PAGEDEL
RELEASE
RESET
SET
|
SETAPPC
SETAUTOR
SETCEE
SETETR
SETGTZ
SETIOS
SETLOAD
SETMF
SETOMVS
SETPROG
SETRRS ARCHIVELOGGING
SETRRS CANCEL
SETRRS SHUTDOWN
SETSMF
SETSMS
SETUNI
SLIP
START
STOP
SWITCH SMF
TRACE (with CT, ST, or STATUS)
WRITELOG
|
| IO (I/O control) |
ASSIGN
MOUNT
SETHS
SWAP
UNLOAD
|
VARY {NET } (See Note 2)
{OFFLINE} (See Note 5)
{ONLINE } (See Note 5)
{PATH }
{SMS }
{name or [/]devnum}
|
| CONS (console control) |
CONTROL (See Note 3)
|
VARY CN(...)[OFFLINE|ONLINE]
(See Note 5)
VARY {TCPIP}
VARY {WLM}
VARY CN(...),STANDBY
|
| MASTER (master control) |
CMDS ABEND
CMDS DUMP
CMDS FORCE
CMDS REMOVE
CONFIG
CONTROL (See Note 3)
DUMP
FORCE
IOACTION
QUIESCE
RESET CN
SETCON
SETGRS
SETLOGR
SETLOGRC
SETSSI
SETXCF
|
TRACE (with MT)
VARY {CN(...)[,AUTH=...]}
{CN(...)[,LOGON=...]}
{CN(...)[,LU=...]}
{CONSOLE[,AUTH=...]}
{CU }
{GRS }
{HARDCPY }
{OFFLINE,FORCE }
{XCF }
|
Note: - CONS command group when message routing is specified.
- HALT NET and VARY NET are related to the Virtual Telecommunications
Access Method (VTAM®)
- CONTROL is in the INFO command group except when
- Purging the message queues of any other full-capability
MCS, HMCS or SMCS console — MASTER.
- Message routing is specified — CONS.
- Changing or displaying the status of the action message retention
facility — MASTER.
- Changing or displaying the number of allowed message buffers —
MASTER.
- Changing or displaying the status of WTO user exit IEAVMXIT —
MASTER.
- In a sysplex, changing the maximum time to wait for aggregated
command responses — MASTER.
- Increasing the number of reply IDs — MASTER.
- An operator can reply to any message that the console
is eligible to receive. Any console with master authority can reply
to any message.
- VARY CN,OFFLINE and VARY CN,ONLINE require CONS. Without
the CN keyword, VARY OFFLINE and VARY ONLINE require IO authority.
|