Conditional access lists for general resource profiles

You can authorize users to conditionally gain access to general resources in three ways: through port-of-entry, SMF system identifier, and application-specific criteria.

By port of entry:
You can require that a user or a job have entered the system from a particular device when accessing general resources.
- You can require that a user be logged on to a particular terminal by specifying WHEN(TERMINAL(…)) on the PERMIT command.
  The TERMINAL class must be active for this support to take effect.
- You can require that a user be logged on to a particular console by specifying WHEN(CONSOLE(…)) on the PERMIT command.
  The CONSOLE class must be active for this support to take effect.
- You can require the batch job accessing the resource to have been submitted from a particular JES input device by specifying WHEN(JESINPUT(…)) on the PERMIT command.
  The JESINPUT class must be active for this support to take effect.
- You can require that a user enter the system from a particular partner LU by specifying WHEN(APPCPORT(…)) on the PERMIT command.
  The APPCPORT class must be active for this support to take effect.
- You can require that a user enter the system from an IP address contained in a particular network access security zone by specifying the name of the SERVAUTH profile protecting that network access security zone on the WHEN(SERVAUTH(…)) operand of the PERMIT command.
  The SERVAUTH class must be active for this support to take effect.
- You can require that a user enter the system from an IP address contained in a particular network access security zone only when executing a particular program by specifying the program on the WHEN(PROGRAM) operand of the PERMIT command, and by specifying the name of the SERVAUTH profile protecting that network access security zone as the resource.
  The PROGRAM and SERVAUTH classes must be active for this support to take effect.
Note: If an access list contains more than one condition, any of the conditions allows the specified access. For example, if you enter the PERMIT command with WHEN(CONSOLE(01) TERMINAL(20)) specified, you allow the access when either console 01 or terminal 20 is used.

Examples:
To ensure that an operator (or group of operators) can issue certain operator commands only when logged on at a particular console, enter:
```
PERMIT profile-name CLASS(OPERCMDS) ID(user or group) ACCESS(READ)
       WHEN(CONSOLE(console-id))
```
By SMF system ID:
- You can require a user to access a program from a particular system by specifying WHEN(SYSID(system-identifier)) on the PERMIT command:
```
PERMIT profile-name CLASS(PROGRAM) ID(user or group) ACCESS(READ)
       WHEN(SYSID(system-identifier))
```
  This conditional access list entry is only valid for the PROGRAM class.
  See Program control by SMFID in BASIC or ENHANCED mode for more information.
By CRITERIA:
- A user or job can be allowed to use a resource through the use of a CRITERIA by specifying WHEN(CRITERIA(criteria-name(criteria-value))) on the PERMIT command. The criteria-name and criteria-value must match the criteria-name and criteria-value passed to RACF® on the RACROUTE REQUEST=FASTAUTH authorization check. The resource manager issuing the authorization check is responsible for the criteria-name and criteria-value. See the resource manager's documentation for further information. The class you specify on the PERMIT command must be RACLISTed for this support to take effect.
Example:
To allow members of group STUDENT to SELECT from the table USER01.HOMEWORK_GRADES in the DB2® DSND subsystem when they run with the DB2 role TEACHING ASSISTANT, enter:
```
PERMIT DSND.USER01.HOMEWORK_GRADES.SELECT CLASS(MDSNTB) ID(STUDENT) 
				WHEN(CRITERIA(SQLROLE('TEACHING ASSISTANT'))) ACCESS(READ)
```