If your installation requires additional security controls on the use of system commands, you must first determine what controls are required. For example, do you want to require all your operators to logon to MCS, HMCS or SMCS consoles, or do you want certain operators with special authority to be able to enter commands that require a higher authority than the console allows? Do you want to audit logon activity? If so, do you want to log all command activity or only unauthorized, or unsuccessful, attempts to issue system commands? Using RACF® and the LOGON keyword in CONSOLxx can help you achieve the kind of added security you might need.

If your installation uses extended MCS consoles, you need to plan for their security. Your TSO or security administrator can help you authorize TSO/E users and control the console attributes (defined in the OPERPARM segment) for those users. For examples, see Controlling extended MCS consoles using RACF.

Note that using RACF to authorize commands can increase the path length the system requires to process a command, and auditing command activity can increase the number of security-related SMF records your system generates.