z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Authorizing access to RACF-protected terminals

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

When a RACF®-defined user logs on to TSO or signs on to IMS™ or CICS® using a terminal protected by a profile in the TERMINAL or GTERMINL class and the TERMINAL class is active, RACF performs authorization checking to verify that the user is permitted use of the terminal. RACF performs this authorization checking during REQUEST=VERIFY processing at the same time as it performs user identification and verification.

RACF performs terminal authorization checking in the following sequence:
  1. If your installation has activated the SECLABEL class, RACF performs security label authorization checking. For a complete description, see Security label authorization checking. If security label authorization checking succeeds, RACF authorization checking continues with the next step.
  2. If the requesting user has at least READ access authority to the terminal, RACF processing continues at Step 5. If the user's access authority is NONE, RACF denies use of the terminal and stops terminal authorization checking.
  3. If the requesting user's current connect group (or, if you activate list-of-groups checking, one of the user's other connect groups) has at least READ access authority to the terminal, RACF processing continues at Step 5. If the group's access authority is NONE, RACF denies use of the terminal and stops terminal authorization checking.
  4. If the profile has a universal access authority (UACC) of at least READ and your installation has not specified NOTERMUACC for the user's current connect group, RACF processing continues at Step 5. Otherwise, RACF denies use of the terminal and stops terminal authorization checking.
    Note: For defined terminals, you can specify the universal access authority (UACC) with the RDEFINE or RALTER command. For undefined terminals, you can specify the universal access authority with the TERMUACC operand of the SETROPTS command.

    For more information, see Limiting specific groups of users to specific terminals.

  5. If your installation authorizes the use of the terminal on this particular day and time, RACF grants access to the terminal. (You can specify the terminal time and day-of-week restrictions with the RDEFINE and RALTER commands.) RACF also checks whether your installation has authorized the user to access the system on this particular day and time. (You can specify the user time and day-of-week restrictions with the ADDUSER and ALTUSER commands.)
Note:
  1. The REQUEST=AUTH and REQUEST=VERIFY preprocessing and postprocessing exit routines are available during terminal authorization checking.
  2. Global access checking is not available during terminal authorization checking performed by REQUEST=VERIFY.
  3. Profiles in the GTERMINL class are ignored unless SETROPTS RACLIST processing is in effect.
Parent topic: Authorization checking for RACF-protected resources

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014