Your installation's security policy determines which commands you must protect. A RACF® profile for the command in the OPERCMDS class protects the command. When an operator logs on to a console and issues an MVS™ command that requires a higher authority than the console allows, RACF can check the access list of the command profile to determine if the user is authorized to issue the command.
To link the command the operator issues with the profile that protects the command, MVS provides a construct, or structure, called a resource-name for each command.
MVS.command.command-qualifier.command object
MVS.TRACE.**
MVS.TRACE.ST
MVS.TRACE.MT
MVS.TRACE.CT
MVS.TRACE.STATUS
MVS Commands, RACF Access Authorities, and Resource Names in z/OS MVS System Commands defines the MVS commands and their corresponding resource-names. It also shows the RACF access authority associated with each command. To define resource profiles for system commands, the RACF security administrator can use the resource-names exactly as shown in MVS Commands, RACF Access Authorities, and Resource Names, or replace the optional fields with asterisks or, for command-object, specific values. In the command profile, the security administrator also defines the auditing requirements and the users or groups allowed to issue the command in the profile's access list.
When an operator issues an MVS command with a RACF profile, MVS determines the resource-name that matches the command and passes that resource-name to RACF. RACF uses the resource-name to locate the profile for the command and verifies that the operator is allowed to issue the command by checking the access list in the profile. If RACF authorizes the access, MVS processes the command; if RACF denies the access, MVS rejects the command. If your installation has user-written commands that you must protect, use the CMDAUTH macro; see z/OS MVS Programming: Authorized Assembler Services Guide and z/OS MVS Programming: Authorized Assembler Services Reference ALE-DYN.
MVS.SET.**
to protect all SET commands with a single profile.