CONSOLxx provides a way to limit command authority
for MCS, HMCS and SMCS consoles. However, to control
operator logon, limit the use of specific commands to specific MCS, HMCS and SMCS consoles, or control command use for
extended MCS consoles, your security administrator can help you plan
your console security. When you use RACF®,
you need to educate operators about the security policy at the installation
and the changes to their jobs that the security policy requires.
An installation can audit the use of commands and limit the use
of commands by operator as well as by console:
- Based on the identity of the issuer of the command — who issued
the command. Using this method, the installation can verify that
the operator who issues a command is authorized to do so and optionally
produce audit records that log command activity. The installation
can control who can issue what commands at several different levels.
For example, all operators might be allowed to issue all commands,
some operators might be allowed to enter only a subset of the allowable
commands, or some commands might be restricted to just one or two
individual operators.
- Based on the MCS console device number or the console name used
to enter the command — where the command was issued. Using this method,
the installation can verify that the command has been issued from
a console that is authorized to issue the command and optionally produce
audit records that log command activity.
- Based on both the identity of the command issuer and the console
device number or console name used to enter the command — both who
issued the command and where the command was issued. Using this method,
the installation can verify that the operator who issues a command
is authorized to do so and that the command has been issued from a
console that is authorized to issue the command. Audit records can
log command activity.
Your installation can use RACF and CONSOLxx to provide restrictions on
the use of system commands to meet the security policy at your installation.
If a console definition (through the AUTH keyword) provides adequate
control of command use, you need take no action. Simply ensure that
the LOGON parameter on the CONSOLE or DEFAULT statement in the CONSOLxx
Parmlib member is set to OPTIONAL, which is the default.