Automatic LOGON

To control and audit command activity by console, specify LOGON (AUTO). When LOGON (AUTO) is in effect and RACF® is active, the system automatically issues a LOGON for each MCS, HMCS or SMCS console as the console is activated. The automatic LOGON uses the console name as the logon userid.

To ensure that the console is automatically logged on, the security administrator must define a user profile for each console by console name.

Your installation must define the name of the system console as a valid USERID to RACF. IBM® recommends that if you plan to use LOGON (AUTO) for your installation, you define the system console in CONSOLxx and do not use the system default name as the name of the system console.

To define access requirements for the console, the security administrator defines a resource profile for the console in the RACF CONSOLE class. The CONSOLE class must be active when console resource profiles are used.

When automatic LOGON is in effect, operators can log on to the system but are not required to do so. The system issues an automatic LOGON for the console whenever RACF is active and the following conditions occur:

The console is activated either during system initialization, as a result of the VARY command or if an SMCS console is logged on.
The console is switched from message-stream or status display mode to full capability mode.
An operator who had logged on issues the LOGOFF command.

Once the console is logged on, operators can use it to issue commands at the level defined for the userid. This could be the level defined in the OPERCMDS class for the userid, or lacking an OPERCMDS definition matching the command, the authority of the console (originally defined in CONSOLxx). If you have some consoles, perhaps those not in secure areas, that you want to require LOGONs, LOGON (AUTO) and RACF profiles allow you to control operator logon. If an operator wishes to issue a command requiring a higher level of authorization, and the operator (through RACF checking of OPERCMDS profiles) has the required level of authorization, the operator must log on to the console to be able to issue the command successfully. The operator authority (defined in the OPERCMDS class) then replaces the console authority. When the operator logs off, the system automatically issues the LOGON for the console name, thus reverting back to the original console authority.

When using LOGON(AUTO), you should ensure that at least one operator is logged on with master authority to be able to communicate with the system.

Synchronous WTORs can be displayed on LOGON(AUTO) consoles only after the consoles have been logged on.