The TSO segment in user profiles

When you define a new TSO user or change TSO attributes for an existing user, you can specify the following information in the TSO segment of a user's profile:

ACCTNUM: User's default account number
COMMAND: Command to be run during TSO/E logon
JOBCLASS: Default value for user's job class
MSGCLASS: Default value for the user's message class
HOLDCLASS: Default value for the user's hold class
SYSOUTCLASS: Destination ID for the user's SYSOUT data sets
PROC: User's default logon procedure
MAXSIZE: User's maximum region size
SIZE: User's default region size
SECLABEL: Security label specified when the user previously logged on to TSO
UNIT: Default device used for allocations
USERDATA: Optional user data

If a user logs on to TSO and you have defined a TSO segment in the user's profile, TSO checks the user's authority to use certain TSO resources such as account numbers and logon procedures. If the user is authorized to use a resource such as an account number, TSO continues building a session for the user. Otherwise, TSO prompts the user for a valid account number.

If a user logs on to TSO and you have not defined a TSO segment for that user, TSO checks the SYS1.UADS data set for the information it needs to build a session. If TSO does not find an entry for the user in SYS1.UADS, the user is denied access to the system.

You can move TSO user attribute information from SYS1.UADS to the RACF® database. (SYS1.UADS contains an entry for each TSO user that describes the attributes that regulate the user's access to the system.) When you move this TSO information into the RACF database, it is stored in the TSO segment of the user's profile. When a user logs on to TSO, it uses the information contained in the TSO segment to build a session for the user.

Moving the TSO user information to the RACF database eliminates the need to maintain an entry in SYS1.UADS for each TSO user. However, you must maintain entries in SYS1.UADS for certain users, such as IBMUSER and system programmers. For example, if you need to deactivate RACF to perform maintenance on the RACF database, users authorized to perform this maintenance must be able to log on to the system. When RACF is inactive, TSO checks entries in SYS1.UADS to authorize access to the system.

Note:

You can use the RACONVRT EXEC to help convert SYS1.UADS entries to RACF user profiles. See z/OS TSO/E Customization for more information.
If you are defining TSO segments in user profiles, you must activate the following TSO general resource classes: TSOPROC and ACCTNUM. For more information, see Protecting TSO resources.
Guideline: Use field-level access control to protect fields within the TSO segment of user profiles. Otherwise, any user can list and change the information contained in this segment. For more information, see Field-level access checking.
A TSO user can use the TSO/E logon panel to specify or override certain information in the TSO segment of his or her user profile. For example, a user can change an account number, or specify an account number if one has not been specified, using the TSO/E logon panel. RACF checks the user's authorization to the ACCTNUM profile that protects the specified account number. If the user is authorized to use the specified account number, TSO stores the account number in the TSO segment of the user's profile and uses it as a default value the next time the user logs on to TSO. Otherwise, RACF denies access to the account number.
If users attempt to change their user profiles when logging on, the logon is allowed but the TSO segment is not updated in either of the following cases:
- The RACF database is locked.
- The system is enabled for sysplex communication and RACF is in read-only mode.
See z/OS TSO/E User's Guide for a description of the information that a user can specify on the TSO/E logon panel.
A TSO installation can write a TSO logon pre-prompt exit to bypass checking SYS1.UADS for user attribute information. See z/OS TSO/E Customization for more information.