When a RACF®-defined user
logs on to TSO or signs on to IMS™ or CICS® using a terminal protected
by a profile in the TERMINAL or GTERMINL class and the TERMINAL class
is active, RACF performs authorization
checking to verify that the user is permitted use of the terminal. RACF performs this authorization
checking during REQUEST=VERIFY processing at the same time as it performs
user identification and verification.
RACF performs terminal authorization
checking in the following sequence:
- If your installation has activated the SECLABEL class, RACF performs security label authorization
checking. For a complete description, see Security label authorization checking.
If security label authorization checking succeeds, RACF authorization checking continues with the
next step.
- If the requesting user has at least READ access authority to the
terminal, RACF processing continues
at Step 5. If the user's access
authority is NONE, RACF denies
use of the terminal and stops terminal authorization checking.
- If the requesting user's current connect group (or,
if you activate list-of-groups checking, one of the user's other connect
groups) has at least READ access authority to the terminal, RACF processing continues at Step 5. If the group's access authority is
NONE, RACF denies use of the
terminal and stops terminal authorization checking.
- If the profile has a universal access authority (UACC) of at least READ and your installation
has not specified NOTERMUACC for the user's current connect group, RACF processing continues at Step 5. Otherwise, RACF denies use of the terminal and stops terminal
authorization checking.
Note: For defined terminals, you can specify
the universal access authority (UACC) with the RDEFINE or RALTER command.
For undefined terminals, you can specify the universal access authority
with the TERMUACC operand of the SETROPTS command.
For more
information, see Limiting specific groups of users to specific terminals.
- If your installation authorizes the use of the terminal
on this particular day and time, RACF grants
access to the terminal. (You can specify the terminal time and day-of-week
restrictions with the RDEFINE and RALTER commands.) RACF also checks whether your installation has
authorized the user to access the system on this particular day and
time. (You can specify the user time and day-of-week restrictions
with the ADDUSER and ALTUSER commands.)
Note: - The REQUEST=AUTH and REQUEST=VERIFY preprocessing and postprocessing
exit routines are available during terminal authorization checking.
- Global access checking is not available during terminal authorization
checking performed by REQUEST=VERIFY.
- Profiles in the GTERMINL class are ignored unless SETROPTS RACLIST
processing is in effect.