When you define a new TSO user or change
TSO attributes for an existing user, you can specify the following
information in the TSO segment of a user's profile:
- ACCTNUM
- User's default account number
- COMMAND
- Command to be run during TSO/E logon
- JOBCLASS
- Default value for user's job class
- MSGCLASS
- Default value for the user's message class
- HOLDCLASS
- Default value for the user's hold class
- SYSOUTCLASS
- Destination ID for the user's SYSOUT data sets
- PROC
- User's default logon procedure
- MAXSIZE
- User's maximum region size
- SIZE
- User's default region size
- SECLABEL
- Security label specified when the user previously logged on to
TSO
- UNIT
- Default device used for allocations
- USERDATA
- Optional user data
If a user logs on to TSO and you have defined
a TSO segment in the user's profile, TSO checks the user's authority
to use certain TSO resources such as account numbers and logon procedures.
If the user is authorized to use a resource such as an account number,
TSO continues building a session for the user. Otherwise, TSO prompts
the user for a valid account number.
If a user logs on to TSO and you have not defined a TSO segment
for that user, TSO checks the SYS1.UADS data set for the information
it needs to build a session. If TSO does not find an entry for the
user in SYS1.UADS, the user is denied access to the system.
You can move TSO user attribute information from
SYS1.UADS to the RACF® database.
(SYS1.UADS contains an entry for each TSO user that describes the
attributes that regulate the user's access to the system.) When you
move this TSO information into the RACF database,
it is stored in the TSO segment of the user's profile. When a user
logs on to TSO, it uses the information contained in the TSO segment
to build a session for the user.
Moving the TSO user information to the RACF database eliminates the
need to maintain an entry in SYS1.UADS for each TSO user. However,
you
must maintain entries in SYS1.UADS for certain users, such
as IBMUSER and system programmers. For example, if you need to deactivate RACF to perform maintenance on
the RACF database, users authorized
to perform this maintenance must be able to log on to the system.
When RACF is inactive, TSO
checks entries in SYS1.UADS to authorize access to the system.
Note: - You can use the RACONVRT EXEC to help convert SYS1.UADS entries to RACF user profiles. See z/OS TSO/E Customization for
more information.
- If you are defining TSO segments in user profiles, you must activate
the following TSO general resource classes: TSOPROC and ACCTNUM. For
more information, see Protecting TSO resources.
- Guideline: Use field-level access control to protect fields
within the TSO segment of user profiles. Otherwise, any user can list
and change the information contained in this segment. For more information,
see Field-level access checking.
- A TSO user can use the TSO/E logon panel to specify or override certain
information in the TSO segment of his or her user profile. For example,
a user can change an account number, or specify an account number
if one has not been specified, using the TSO/E logon panel. RACF checks the user's authorization
to the ACCTNUM profile that protects the specified account number.
If the user is authorized to use the specified account number, TSO
stores the account number in the TSO segment of the user's profile
and uses it as a default value the next time the user logs on to TSO.
Otherwise, RACF denies access
to the account number.
If users attempt to change their user profiles
when logging on, the logon is allowed but the TSO segment is not updated
in either of the following cases:
- The RACF database is locked.
- The system is enabled for sysplex communication and RACF is in read-only mode.
See z/OS TSO/E User's Guide for
a description of the information that a user can specify on the TSO/E
logon panel.
- A TSO installation can write a TSO logon pre-prompt exit to bypass
checking SYS1.UADS for user attribute information. See z/OS TSO/E Customization for
more information.