Conditional access lists for data set profiles

RACF® allows installations to specify conditional access lists for data sets. You can require that a user or job enter the system from a particular device when accessing data sets. To do this, specify one or more device identifiers using one of the following methods.

By specifying WHEN(TERMINAL(…)) on the PERMIT command, you can require that a user be logged on to a particular terminal.
For this support to take effect, the TERMINAL class must be active.
By specifying WHEN(CONSOLE(…)) on the PERMIT command, you can require that a user be logged on to a particular console.
For this support to take effect, the CONSOLE class must be active.
By specifying WHEN(JESINPUT(…)) on the PERMIT command, you can require that the batch job accessing the data set has been submitted from a particular JES input device.
For this support to take effect, the JESINPUT class must be active.
By specifying WHEN(APPCPORT(…)) on the PERMIT command, you can require that a user enter the system from a particular partner LU.
For this support to take effect, the APPCPORT class must be active.
By specifying WHEN(SERVAUTH(…)) on the PERMIT command, you can require that a user enter the system from a particular network security zone (containing IP addresses).
For this support to take effect, the SERVAUTH class must be active.

Note: If an access list contains more than one condition, any of the conditions allows the specified access. For example, if you enter the PERMIT command with WHEN(CONSOLE(01) TERMINAL(20)) specified, you allow the access when either console 01 or terminal 20 is used.