Hi Tim. Good questions/comments.
I would actually want them logging on to do their work. The area management is planning on moving the consoles to is (as far as I'm concerned) an unsecured area. People come into and out of this area on a regular basis with nobody seeing them. The idea mgmt has is that the operator will always be there so it will be secure, but we have 1 operator per shift and the printers and tape drives (not robotic) are located in the computer room so the operator will often be away from the console. As far as the operator issuing meaningless commands once in a while, that's OK because that means they're at the console. My biggest concern is when they're away from them that somebody could come in and cause considerable damage while they're unattended. That's why I am asking about the auto-logoff. I am OK with them even using a single ID for everybody. Rex -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hare Sent: Tuesday, May 02, 2006 2:32 PM To: [email protected] Subject: Re: Securing consoles Do you actually have to have someone log on, or do you just need an ID for each console, so that secured commands work and you can audit where they came from? We used the DEFAULT LOGON(AUTO) so that each console logs on with a user ID equal to the console name. We did this for the reasons you stated - we figured the operators would log on once, anyway, and never log off. Even if they do log on and off, they will probably share IDs and passwords - anything to "get the job done". So, the closest we could come to identifying the operator(s) that issued particular commands would be to know which console issued it, and what operators were in that physical area at the time (via door lock logs or whatever). The IDs are defined as "protected" in RACF so no one can log on with them via the usual methofs. They are also in a RACF group (imaginatively named OPCONSOL) so we can, if we wish, grant access to all the consoles at once. I didn't see a timeout value in the Quick-reference summary of the Init&Tuning info - but suspect that operators would find a way to keep the ID active by issuing meaningless commands once in a while. Tim Hare Senior Systems Programmer Florida Department of Transportation (850) 414-4209 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
