z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Creating profiles in the TERMINAL and GTERMINL classes

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

If you create a profile in the TERMINAL or GTERMINL class, you must give users at least READ access authority in order to allow them to use the protected terminal.
  1. To protect a terminal using RACF®, create a profile for it using the RDEFINE command. On the command, specify the universal access authority (UACC) you want to assign to the terminal. The following command defines a profile for terminal M01RF267 and specifies a UACC of NONE. 
    RDEFINE TERMINAL M01RF267 UACC(NONE)

    On systems using VTAM®, the terminal's node name is the RACF resource name. See your systems programmer for node name information.

  2. Use the PERMIT command to allow users and groups to use the terminal. You must give a user at least READ access authority to the terminal. Otherwise, the user is not authorized to use the terminal. For example, the following command grants users SMITH and JONES READ access authority to terminal M01RF627. 
    PERMIT M01RF267 CLASS(TERMINAL) ID(SMITH JONES) ACCESS(READ)
    Important: After you define a terminal and protect it with a UACC of NONE, no one can use the terminal until you grant users or groups READ access authority to the resource.
  3. When you are ready to start using the protection defined in the profiles, activate the TERMINAL class. You should also consider activating SETROPTS RACLIST processing for the class. SETROPTS RACLIST processing helps ensure high performance when access authorities are checked. Also, if you are using GTERMINL profiles, you must request RACLIST processing for the TERMINAL class. You can do these two actions in one command: 
    SETROPTS CLASSACT(TERMINAL) RACLIST(TERMINAL)
    Note: When you activate the TERMINAL class, RACF also activates the GTERMINL class.
Creating a profile in the GTERMINL class: If you want to protect several terminals in the same way, but their names do not allow you to create a generic profile, you can create a profile in the GTERMINL class for them. For example, to protect terminals M01RF267, M03RF168, and M04GG148 with one profile, you could create a profile with a name you choose, such as DEPT35: 
RDEFINE GTERMINL DEPT35 UACC(NONE) ADDMEM(M01RF267 M03RF168 M04GG148)
To allow group FINANCE to use these terminals, enter: 
PERMIT DEPT35 CLASS(GTERMINL) ID(FINANCE) ACCESS(READ)
Note: After creating or changing a GTERMINL profile, you must request SETROPTS RACLIST processing for the TERMINAL class to make the changes effective on the system.
To protect another terminal, named M01RF299, with the same profile, change the DEPT35 profile as follows: 
RALTER   GTERMINL DEPT35 ADDMEM(M01RF299)
SETROPTS RACLIST(TERMINAL) REFRESH
To stop protecting terminal M03RF168 with this profile, change the DEPT35 profile as follows: 
RALTER   GTERMINL DEPT35 DELMEM(M03RF168)
SETROPTS RACLIST(TERMINAL) REFRESH
Parent topic: Protecting terminals

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014