Logging on to the system

Your installation can control the use of the system commands and access to MCS, HMCS and SMCS consoles through the system authorization facility (SAF) and the Resource Access Control Facility (RACF®). Your installation can require operators to use the LOGON command to log on to the system and identify themselves.

Your installation can specify the LOGON attribute for MCS, HMCS and SMCS consoles in two ways. First, a default LOGON attribute can be specified for all consoles active on a system by specifying the LOGON keyword on the DEFAULT statement in the CONSOLxx parmlib member. Second, individual consoles can override the default LOGON attribute by specifying the LOGON keyword on the CONSOLE statement in the CONSOLxx parmlib member. For more information on specifying LOGON consult z/OS MVS Planning: Operations and z/OS MVS Initialization and Tuning Reference.

The security administrator can enable consoles password phrase support on a system by defining a security profile to cover the MVS.CONSOLE.PASSWORDPHRASE.CHECK resource in the OPERCMDS class. There is no authority access checking from a user ID perspective. The consoles function checks for the existence of the profile and, if the profile exists, the new LOGON panel display is revealed which will allow for either the new password phrase input or the standard eight (8) character password.

Your installation can specify that LOGON is required by specifying LOGON(REQUIRED) on the DEFAULT statement (for all MCS, HMCS and SMCS consoles) or on the CONSOLE statement (for a single console). When LOGON is a system requirement, you can issue commands only through a master authority console until RACF is fully initialized and able to process logon requests. Until RACF is initialized, you cannot issue any commands from any non-master authority console.

Once RACF is fully initialized, all operators are required to logon. The IEE187I message prompts you for a user ID and password. Optionally, you might enter a group id and a security label. See LOGON command for more information.

IBM suggests that SMCS consoles be LOGON(REQUIRED), either using the system-wide DEFAULT LOGON specification or the CONSOLE LOGON specification of the console.

A TIMEOUT value may be specified for a console. If an operator has logged on to the console with a user ID, the system will automatically log the user ID off after the number of minutes specified by TIMEOUT have elapsed without any console input activity (pressing an attention-generating key, such as Enter, PA1, PA2, or a PFK).

Your installation can specify that LOGON is automatic by specifying LOGON(AUTO) on the DEFAULT statement (for all MCS, HMCS and SMCS consoles) or on the CONSOLE statement (for a single console). When LOGON is not a system requirement, after the security product is fully initialized, the system will automatically issue an MCS LOGON command to each active MCS, HMCS or SMCS console; system operators may log on to these consoles but are not required to do so. Automatic logon affects only full capability consoles. If a TIMEOUT value is specified for a console, it will be ignored when the user ID matches the console name and the console is in LOGON(AUTO) mode.

Your RACF administrator creates RACF user profiles for each operator. Each operator can have access to different commands, consoles, data sets, and other RACF-protected resources, according to the person's responsibilities. The RACF administrator also creates RACF resource profiles that protect all operator commands. If you need more information on creating profiles for operators, consoles, MVS™ commands, and other resources, see the z/OS Security Server RACF Security Administrator's Guide.

Your installation can specify that LOGON is optional by specifying LOGON(OPTIONAL) on the DEFAULT statement (for all consoles on the system) or on the CONSOLE statement (for a single console). Code the OPTIONAL parameter when your installation has selected consoles defined in RACF to allow the operator to log on.

z/OS MVS Planning: Operations has more information about controlling system commands and consoles in a secure environment.

Typically, an operator logs on to a single console. If your installation wishes to allow an operator to be concurrently logged on to multiple consoles within a system or sysplex, your security administrator can allow this. When the security profile MVS.MULTIPLE.LOGON.CHECK is defined in the OPERCMDS class, an operator may log on to multiple consoles. Defining this profile allows all operators to be able to log on multiple times. There is no limit to the number of consoles to which an operator may be logged on. Operators are still required to provide a password while logging on to each console.