Using RACF to control command authority and operator logon

CONSOLxx provides a way to limit command authority for MCS, HMCS and SMCS consoles. However, to control operator logon, limit the use of specific commands to specific MCS, HMCS and SMCS consoles, or control command use for extended MCS consoles, your security administrator can help you plan your console security. When you use RACF®, you need to educate operators about the security policy at the installation and the changes to their jobs that the security policy requires.

An installation can audit the use of commands and limit the use of commands by operator as well as by console:

Based on the identity of the issuer of the command — who issued the command. Using this method, the installation can verify that the operator who issues a command is authorized to do so and optionally produce audit records that log command activity. The installation can control who can issue what commands at several different levels. For example, all operators might be allowed to issue all commands, some operators might be allowed to enter only a subset of the allowable commands, or some commands might be restricted to just one or two individual operators.
Based on the MCS console device number or the console name used to enter the command — where the command was issued. Using this method, the installation can verify that the command has been issued from a console that is authorized to issue the command and optionally produce audit records that log command activity.
Based on both the identity of the command issuer and the console device number or console name used to enter the command — both who issued the command and where the command was issued. Using this method, the installation can verify that the operator who issues a command is authorized to do so and that the command has been issued from a console that is authorized to issue the command. Audit records can log command activity.

Your installation can use RACF and CONSOLxx to provide restrictions on the use of system commands to meet the security policy at your installation. If a console definition (through the AUTH keyword) provides adequate control of command use, you need take no action. Simply ensure that the LOGON parameter on the CONSOLE or DEFAULT statement in the CONSOLxx Parmlib member is set to OPTIONAL, which is the default.