Using RACF to protect physical terminals
RACF® offers a terminal-user security function that ranges from no security for a particular terminal to permitting a certain predefined list of users access through a physical control point. A terminal-user profile can be created for every PTERM in the IMS.
The following table is an example of a terminal-user profile.
| User | Physical terminal | ||||
|---|---|---|---|---|---|
| PTERMA | PTERMB | PTERMC | LTERMD | LTERME | |
| USER 1 | X | X | |||
| USER 2 | X | X | |||
| USER 3 | X | X | |||
| USER 4 | X | ||||
| USER 5 | X | X | |||
Users defined through ETO can use signon verification to gain access to IMS transactions or commands. Dynamic terminal security must be defined through a security product such as RACF or through exit routines.
Signon password with RACF
If RACF is used to implement signon verification security for a terminal, a check of the password is made with entry of the /SIGN command, by either the Signon Verification exit routine or by RACF. The user ID entered with the /SIGN ON command must be accompanied by a user password and, optionally, by other signon data. If the RACF reverification option has been specified, the password is saved so it can be compared with the password reentered with the transaction code.
Signon passphrase with RACF
If RACF is used to implement signon verification security for a terminal, a check of the passphrase is made with entry of the /SIGN command, by either the Signon Verification exit routine or by RACF. The user ID entered with the /SIGN PASSPHRASE or /SIGN PASSPHRASEQcommand must be accompanied by a user passphrase and, optionally, by other signon data. The RACF reverification option is not supported with passphrases.
RACF password protection
RACF passwords are defined and maintained by the user. After the RACF resource class is initialized with a password, the user can change its value. If signon verification is provided by an exit routine and not by RACF, the table of user IDs and passwords must be changed by another bind into the IMS nucleus. However, for ETO signon verification, the table of user IDs and passwords does not need to be changed by another bind into the IMS nucleus. If the table is loaded by exit routine DFSINTX0 or if it is part of exit routine DFSSGNX0, IMS does not need to be restarted in order to have the table refreshed.