Console security means controlling which commands operators can enter on their consoles to monitor and control MVS™. How you define command authorities for your consoles or control logon for operators allows you to plan the operations security of your MVS system or sysplex. In a sysplex, because an operator on one system can enter commands that affect the processing on another system, your security measures become more complicated and you need to plan accordingly.
An operator typically logs on to a single console. However, if you
want to allow an operator to log on to multiple consoles concurrently within a system or sysplex,
your security administrator can enable this. When the security profile MVS.MULTIPLE.LOGON.CHECK is
defined in the OPERCMDS class, an operator may log on to multiple consoles. Defining this profile
allows all operators to log on multiple times. There is no limit to the number of consoles to which
an operator may log on. Operators are still required to provide a password while logging on to each
console.
If your installation plans to use extended MCS consoles, you should consider ways to control what an authorized TSO/E user can do during a console session. Because an extended MCS console can be associated with a TSO/E userid and not a physical console, you might want to use RACF® to limit not only the MVS commands a user can enter but from which TSO/E terminals the user can enter the commands.
- Through the AUTH keyword on the CONSOLE statement of CONSOLxx
- Through the LOGON keyword of the DEFAULT statement and RACF commands and profiles.
Controlling command authority with the AUTH attribute describes the AUTH attribute and command groups. Using RACF to control command authority and operator logon describes RACF and the LOGON keyword for the DEFAULT statement. Special security considerations for SMCS consoles appear in Providing security for SMCS consoles.