Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Limiting specific groups of users to specific terminals z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
When defining or changing a group profile, you can specify that the group can log on only to those terminals to which the group (or individual users within the group) are specifically authorized. If the group terminal option NOTERMUACC is in effect (note that TERMUACC is the default) for a group on the ADDGROUP or ALTGROUP command, users of the group can use only those terminals to which they are specifically authorized on the access list in the TERMINAL profile protecting the terminal. For example, if you want to allow group PAYROLL to log on only
to terminals in the payroll office, protect the payroll terminals
with a profile:
Give the PAYROLL group READ access:
Ensure that the PAYROLL group profile has NOTERMUACC specified:
This prevents users in group PAYROLL from logging on to another terminal just because the profile protecting that terminal has a UACC of READ. Note: If the list-of-groups option (SETROPTS GRPLIST) is in effect, RACF® uses the TERMUACC/NOTERMUACC
option from the user's current connect group, but RACF can grant terminal access through any of
the user's connect groups.
Tip: When a user is connected to multiple groups and the application he uses to logon allows him to specify a group name in addition to a user ID, define NOTERMUACC on each of his group connections to ensure that the user can logon only to terminals that he or one of his connect groups is explicitly authorized to access. |
Copyright IBM Corporation 1990, 2014
|