By default, TSO/E users can log on to any system in a sysplex with
a shared RACF® database. To
limit user's access to specific systems, follow these steps:
- Activate the APPL class in RACF and
define profiles for each of your systems or groups of systems.
- Change the VERIFYAPPL parameter on the LOGON statement in the
SYS1.PARMLIB member IKJTSOxx from the default of VERIFYAPPL(OFF) to
VERIFYAPPL(ON).
- Use the MVS™ SET IKJTSO=xx
or TSO/E PARMLIB UPDATE(xx) command to update the system settings.
This tells TSO/E logon processing to pass an APPL to the RACROUTE
VERIFY request for user authorization. For more information about
the VERIFYAPPL parameter, see .
TSO/E determines the APPL using the following method. To use this
support, these profiles must be defined in RACF.
- If VTAM® generic resources
are used for TSO/E, define the application name using the TCASGNAM
defined in the TSOKEYxx, SYS1.PARMLIB member.
- If VTAM generic resources
are not used, define the application name using the format TSOxxxx,
where xxxx is the SID (or SMF system ID) defined in the SMFPRMxx member
of SYS1.PARMLIB. For example, if the SID is 3390, type TSO3390 in
the profile. For more information, see .