Conditional access processing

Using RACF®, you can permit a user to access resources when that user is signed on a particular terminal or console, but not otherwise. Access that is restricted in this way is known as conditional access.

To grant conditional access to a resource, add 
WHEN(TERMINAL(netname))
or 
WHEN(CONSOLE(console-name))
to the PERMIT command.
The following example allows members of the PAYROLL group to read the SALARY file wherever they are signed on. They would be able to update it only from the terminal with netname PAY001, by issuing the following commands: 
RDEFINE FCICSFCT SALARY UACC(NONE)
PERMIT SALARY CLASS(FCICSFCT) ID(PAYROLL) ACCESS(READ)
PERMIT SALARY CLASS(FCICSFCT) ID(PAYROLL)
       (WHEN(TERMINAL(PAY001)) ACCESS(UPDATE)
To allow members of the operations group OPS to be able to use the CEMT transaction only from the console names MVS1MAST, issue the following command: 
RDEFINE TCICSTRN CEMT UACC(NONE)
PERMIT CEMT CLASS(TCICSTRN) ID(OPS) WHEN(CONSOLE(MVS1MAST)) AC(READ)
Note:
  1. The CONSOLE class must be active before CONSOLE conditional access lists can be used.
  2. Conditional access lists may only increase authority and not decrease it.

    For other considerations on conditional access lists, see the z/OS Security Server RACF Security Administrator's Guide.