Administering the use of operator commands

You can control who can issue MVS™ and JES operator commands regardless of their point of entry. This includes, for example, commands issued at MCS consoles, inline within batch JCL, through SVC 34, or through extended console support.

You can use RACF® to authorize the following:

For MCS consoles, you can authorize individual commands, as well as command groups, to individual operators, groups of operators, or to the consoles.
For commands issued from NJE nodes and RJE workstations, you can authorize the node or workstation to individual commands or groups of commands.

In addition, the installation can use generic profiles to define groups of commands. If RACF is not used, the system defines the groups of commands. For more information on using MVS and JES to perform command authority checking, see one of the following documents:

For MVS system commands, see z/OS MVS Planning: Operations.
For JES2 commands, see z/OS JES2 Initialization and Tuning Guide.
For JES3 commands, see z/OS JES3 Initialization and Tuning Guide.

You can use RACF to perform authority checking for all commands. However, commands issued from locally attached JES3 consoles are checked using JES3's authority, not the operator's authority. In practice, that would probably limit you to just auditing those commands.

Authorizing the use of operator commands describes how you can use RACF to provide command authority checking. z/OS JES3 Initialization and Tuning Guide describes how to use JES to provide command authority checking.

Note: If SDSF is installed on your system, OPERCMDS profiles control which action characters and overtypeable fields users can enter on SDSF panels. For complete information on creating OPERCMDS profiles for use with SDSF, see z/OS SDSF Operation and Customization.