z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Protecting consoles

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You can require operators to log on to and log off from MCS-managed consoles by specifying options in the CONSOLxx member of the SYS1.PARMLIB data set. For more information, see:
When the CONSOLE class is active and a console being used is protected by a profile in the CONSOLE class, RACF® ensures that the person attempting to logon has the proper authority to do so. Using RACF, you can control the use of JES and MCS system consoles on your system. This topic describes how to protect MCS consoles. See also Remote workstations (RJP/RJE consoles).
Note:
  1. The SETROPTS TERMINAL command does not apply to consoles.
  2. The TERMUACC operand on the ADDGROUP and ALTGROUP commands does not apply to consoles.
  3. You cannot specify the WHEN operand on the RDEFINE and RALTER commands for profiles in the CONSOLE class.

For a description of authorization checking for consoles, see Authorizing access to consoles, JES input devices, APPC partner LUs, or IP addresses.

To control the use of MCS consoles, perform the following steps:
  1. Ask your system programmer for the following information:
    • The name or ID of the console to be protected

      Sysplex consideration: If you share the RACF database with downlevel systems, the console might have a 2-byte console ID rather than a console name. To protect a console ID, define the resource using the console ID in place of the console name.

    • The universal access authority (UACC) to specify for the console
    • The user ID or group name of the operator or operators to whom you want to grant access
    • The security label to be assigned to that console (if security labels are being used)
  2. Create a profile for each console using the RDEFINE command. 
    RDEFINE CONSOLE console-name UACC(NONE)
    For example, the following command defines a profile for console CON1 and specifies a UACC of NONE. 
    RDEFINE CONSOLE CON1 UACC(NONE)
  3. Use the PERMIT command to allow users and groups to use the console. You must give a user at least READ access authority to the console. Otherwise, the user is not authorized to use the console.
    For example, the following command grants READ access authority to group OPRGRP1 and user JONES for CON1. 
    PERMIT CON1 CLASS(CONSOLE) ID(OPRGRP1 JONES) ACCESS(READ)
    Important: After you define a console and protect it with a UACC of NONE, no one can log on to the console until you grant users access authority to the console profile.
    For consoles, the valid access authorities are:
    NONE
    Allows no access
    READ
    Authorizes RACF-defined users to LOGON to the specified console
  4. When you are ready to start using the protection defined in the profiles, activate the CONSOLE class and activate SETROPTS RACLIST processing for the class. SETROPTS RACLIST processing helps ensure high performance when access authorities are checked. You can do these two actions in the following command. 
    SETROPTS CLASSACT(CONSOLE) RACLIST(CONSOLE)
    If the CONSOLE class is already active and RACLISTed, issue the following command to activate your CONSOLE profile changes.
    SETROPTS RACLIST(CONSOLE) REFRESH
Parent topic: Protecting general resources

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014