Front-end Checking

The profiles for Front-end checking are defined in the SYSAUTO general resource class and are constructed according to the following pattern:

TSO.sysplexname.systemname.CMDRCVR.SEND

The variables have the following meanings:

sysplexname: This variable denotes the name of the physical sysplex.
systemname: This variable denotes the name of the system.

You can use wildcards, when the class SYSAUTO has generics enabled. To enable generics, with RACF® you can use the following command:

SETR GENERIC(SYSAUTO)

For example, the following profile can be defined to prevent the issuing of any command from TSO or Batch on the SYS1 system. The RACF syntax would be as follows:

RDEFINE SYSAUTO TSO.*.SYS1.CMDRCVR.SEND UACC(NONE)

To allow BOB to issue commands on the SYS1 system, the following permission statement can be used:

PERMIT TSO.*.SYS1.CMDRCVR.SEND CLASS(SYSAUTO) ID(BOB) ACC(READ)

Note: Read access to such a profile enables issuing of a command on that system only, if the user also passes the back-end check and the NetView command check.

Using the TSO function INGRCRPC, you may want to distinguish command execution in USERTASK or AUTOTASK. The command execution in the user task BOB requires the following permissions:

RDEFINE SYSAUTO TSO.*.SYS1.CMDRCVR.SEND.USERTASK UACC(NONE) 
PERMIT TSO.*.SYS1.CMDRCVR.SEND.USERTASK CLASS(SYSAUTO) ID(BOB) ACC(READ)

For a detailed discussion about command execution in USERTASK and AUTOTASK, see Security Considerations in Customizing and Programming.