You can require operators to log on to and log off
from MCS-managed consoles by specifying options in the CONSOL
xx member
of the SYS1.PARMLIB data set. For more information, see:
When the CONSOLE class is active and a console being used is protected
by a profile in the CONSOLE class, RACF® ensures
that the person attempting to logon has the proper authority to do
so. Using RACF, you can control
the use of JES and MCS system consoles on your system. This topic
describes how to protect MCS consoles. See also
Remote workstations (RJP/RJE consoles).
Note: - The SETROPTS TERMINAL command does not apply to consoles.
- The TERMUACC operand on the ADDGROUP and ALTGROUP commands does
not apply to consoles.
- You cannot specify the WHEN operand on the RDEFINE and RALTER
commands for profiles in the CONSOLE class.
For a description of authorization checking for consoles, see Authorizing access to consoles, JES input devices, APPC partner LUs, or IP addresses.
To control the use of MCS consoles, perform the following steps:
- Ask your system programmer for the following information:
- The name or ID of the console to be protected
Sysplex consideration: If
you share the RACF database
with downlevel systems, the console might have a 2-byte console ID
rather than a console name. To protect a console ID, define the resource
using the console ID in place of the console name.
- The universal access authority (UACC) to specify for the console
- The user ID or group name of the operator or operators to whom
you want to grant access
- The security label to be assigned to that console (if security
labels are being used)
- Create a profile for each console using the RDEFINE command.
RDEFINE CONSOLE console-name UACC(NONE)
For
example, the following command defines a profile for console CON1
and specifies a UACC of NONE.
RDEFINE CONSOLE CON1 UACC(NONE)
- Use the PERMIT command to allow users and groups to use the console.
You must give a user at least READ access authority to the console.
Otherwise, the user is not authorized to use the console.
For example,
the following command grants READ access authority to group OPRGRP1
and user JONES for CON1.
PERMIT CON1 CLASS(CONSOLE) ID(OPRGRP1 JONES) ACCESS(READ)
Important: After you define a console and protect
it with a UACC of NONE, no one can log on to the console until you
grant users access authority to the console profile.
For
consoles, the valid access authorities are:
- NONE
- Allows no access
- READ
- Authorizes RACF-defined users to LOGON to the specified console
- When you are ready to start using the protection defined
in the profiles, activate the CONSOLE class and activate SETROPTS
RACLIST processing for the class. SETROPTS RACLIST processing helps
ensure high performance when access authorities are checked. You can
do these two actions in the following command.
SETROPTS CLASSACT(CONSOLE) RACLIST(CONSOLE)
If
the CONSOLE class is already active and RACLISTed, issue the following
command to activate your CONSOLE profile changes.
SETROPTS RACLIST(CONSOLE) REFRESH