SMCS will support the protecting of the SMCS application via the APPL class of a security product. If the user is defined and authorized by the security product and the APPL class is not active or the APPL class is active but no profile matches the SMCS APPLID, access will be granted. If the APPL class is active and a profile matching the SMCS APPLID exists, the name the user is logging on with must be defined in the profile's access list with at least READ authority for access to be granted. If the console has been defined with LOGON(AUTO), the console name must be in the access list.
Using RACF® to authorize commands means that each operator requires an individual user profile. (TSO/E users of extended MCS consoles should already have a security profile in order for them to log on to TSO.) This user profile establishes the userid of the individual operator, and the userid identifies the operator when the operator logs on to the system. You can define the operator's or TSO/E user's authority to access resources by userid, but you can also establish access authority through a security group. For example, if you have several operators or TSO/E users with identical access requirements, you can have the security administrator create a security group and define the access for the individual operators or TSO/E users through the group. For more information using RACF, see Defining users with RACF.
If you want an MCS console to be automatically logged on when you specify LOGON(AUTO), you must ensure that each console has a user profile established for it. Your security administrator can define a user profile by console name. When LOGON(AUTO) is in effect, the console is automatically logged on when it is activated. For more information, see Automatic LOGON.
Resources, such as commands, MCS or SMCS consoles, and TSO terminals, also require security profiles. These profiles establish the access requirements for the resource — such as who can issue the command or use the console or terminal — and the level of security auditing your installation requires. For example, you might need to audit all uses of commands or want to audit only unauthorized uses of commands. For specific information using RACF, see Defining commands with RACF and Defining consoles with RACF. For an example of defining a TSO/E terminal as a resource, see Controlling extended MCS consoles using RACF.
You need to work with the security administrator to set up the security profiles and options to implement your installation's security goals. z/OS Security Server RACF Security Administrator's Guide includes RACF-related information about securing access to system commands and consoles.