Security summary
The security barriers that a user must negotiate in a terminal server environment include barriers on the terminal server, the z/VM® system, and the target system.
Figure 1 provides an overview.

For example, a ts-shell user first must log in to the terminal
server and pass an SSH authentication. A connection request to an iucvtty
instance is granted only if all the following apply:
- The user is authorized to connect to the target system.
- ts-shell is authorized to connect to the target system.
- The z/VM IUCV authorizations of the terminal server and the target system allow the IUCV connection between the two z/VM guest virtual machines.
- The iucvtty instance permits connections from the terminal server.
After the connection is established, the user is prompted to log in and authenticate at the target system.
For connecting to an HVC terminal device, the only difference is that there are no individual permissions. All HVC terminal devices use the same z/VM user ID filter to accept or reject a connection request.
For iucvconn_on_login users, the only security check on the terminal server is the authentication when a user logs in. The IUCV authorization and the checks on the target system are the same as for ts-shell users.