|
You can use RACF® to protect
certain TSO resources. These resources
include TSO logon procedures, account numbers, and performance groups.
In addition, you can protect resources called TSO user authorities,
whose settings determine whether a user can issue certain authorized
TSO commands. Examples of TSO user authorities include ACCT, JCL,
MOUNT, OPER, RECOVER, PARMLIB, TESTAUTH, and CONSOLE. For detailed
information about the TSO resources you can protect with RACF, see z/OS TSO/E Customization.
If you are defining TSO segments in user profiles, you
must protect these TSO resources, using the following general resource
classes: - TSOPROC (for protecting TSO logon procedures)
- ACCTNUM (for protecting TSO account numbers)
- PERFGRP (for protecting TSO performance groups)
- TSOAUTH (for protecting TSO user authorities)
The following access authorities apply to these resources: - NONE
- No access allowed.
- READ
- For TSOPROC, ACCTNUM, and PERFGRP, allows users to specify the
logon procedure, account number, or performance group when logging
on.
For TSOAUTH, gives the user the authority to issue the associated
authorized TSO command.
For PARMLIB, allows the user to issue
the PARMLIB LIST command.
For TESTAUTH, allows the user to invoke
a program in authorized state.
- UPDATE
- For PARMLIB, allows the user to issue the PARMLIB UPDATE command.
For the other profiles, UPDATE is the same as READ.
- CONTROL
- Same as READ.
- ALTER
- Allows users to change the profile, if the profile is discrete.
To control the use of TSO resources, issue RACF commands in the following sequence: - Activate the TSO general resource classes:
SETROPTS CLASSACT(TSOPROC ACCTNUM PERFGRP TSOAUTH)
Considerations when activating the TSO resource classes: Assume that you have defined a user profile
for user SMITH that contains a TSO segment. - If you do not activate the TSOPROC and ACCTNUM classes, user SMITH
cannot log on to TSO because RACF cannot
check SMITH's authority to use the logon procedure and account number
specified on the logon panel. TSOPROC and ACCTNUM must be active
so that users whose profiles contain TSO segments can log on to TSO.
- If you do not activate the PERFGRP class and user SMITH specifies
a performance group on the logon panel, SMITH cannot log on to TSO
because RACF cannot check SMITH's
authority to access the specified performance group. However, SMITH
can log on to TSO when the performance group is deleted from the logon
panel. Activate the PERFGRP class if your installation intends to
use TSO performance groups.
- If you do not activate the TSOAUTH class, user SMITH can log on
to TSO but will not have any assigned TSO user authorities such as
JCL or MOUNT. Activate the TSOAUTH class and give SMITH READ access
authority to the appropriate resources in the TSOAUTH class if your
installation is specifying user authorities when defining users to
the system.
- Create profiles to protect TSO resources. The following example
shows how to define logon procedure LOGPROC1 to the TSOPROC resource
class and assign it a UACC of READ. (A UACC of READ grants all users
the ability to use the logon procedure.)
RDEFINE TSOPROC LOGPROC1 UACC(READ)
To
protect a TSO resource so that a limited number of users can access
it, you can define it and specify a UACC of NONE. Then you can create
an access list containing only those users who require access to the
resource. The following example shows how to define a logon procedure,
LOGPROC2, in the TSOPROC resource class and protect it with a UACC
of NONE. RDEFINE TSOPROC LOGPROC2 UACC(NONE)
Considerations for creating profiles for TSO resources:
- Use the PERMIT command to allow users and groups to use the TSO
resources. The following example shows how to allow users USERA and
USERB to specify logon procedure LOGPROC2 when they log on using TSO:
PERMIT LOGPROC2 CLASS(TSOPROC) ID(USERA USERB) ACCESS(READ)
- Activate SETROPTS RACLIST processing for
the TSO general resource classes:
SETROPTS RACLIST(TSOPROC ACCTNUM PERFGRP TSOAUTH)
For
more information on SETROPTS RACLIST processing, see SETROPTS options to activate in-storage profile processing.
Note: If SETROPTS RACLIST processing
is already activated for the TSO general resource classes, you must
refresh SETROPTS RACLIST processing: SETROPTS RACLIST(TSOPROC ACCTNUM PERFGRP TSOAUTH) REFRESH
For
more information on refreshing SETROPTS RACLIST processing, see Refreshing profiles for SETROPTS RACLIST processing.
|