Use of CONSOLE command does require TSO/E authorization. (I did not know about the exit option.) Some older/larger shops still resist mass conversion to TSO/E SAF segments because of long standing RYO userid management applications that would have to be changed *substantially* to accommodate them. The number of people in any shop that need CONSOLE, in particular, is usually a small fraction of the total user community, which makes resistance appear legitimate if Troglodyte. I'm going to take a stab at a SAF-controlled exit.
. . JO.Skip Robinson SCE Infrastructure Technology Services Electric Dragon Team Paddler SHARE MVS Program Co-Manager 626-302-7535 Office 323-715-0595 Mobile jo.skip.robin...@sce.com From: Walt Farrell <wfarr...@us.ibm.com> To: IBM-MAIN@bama.ua.edu Date: 04/11/2011 06:26 AM Subject: Re: IKJ55305I THE CONSOLE COMMAND HAS TERMINATED.+ IKJ55305I USER GOD001 DOES NOT HAVE CONSOLE COMMAND AUTHORITY. Sent by: IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu> On Sun, 10 Apr 2011 20:50:41 -0500, Scott Fagen <scottfagen...@yahoo.com> wrote: >Best way to set up for the TSO CONSOLE command is to activate OPERCMDS in >your security product and set up the OPERPARM segments in the users who need >to use the facility. See: > > http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.ikjb400/consol.htm > >(Mind any wrap in the url). You do also need access to the CONSOLE resource in the TSOAUTH class, but if I remember correctly the user must have a TSO segment in their RACF (or other security product) user profile before the TMP will check the TSOAUTH CONSOLE resource. Without a TSO segment if you want to grant TSO CONSOLE authority you need to implement a TSO/E exit. And then, as you mentioned, Scott, the OPERCMDS profiles become important because you also need access to OPERCMDS resource MVS.MCSOPER.console-name before you can actually activate the console. -- Walt Farrell IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
