There is no auto-timeout feature that I am aware of. When I last implemented this, the advice to the operators was : you are responsible for anything that is entered while you are logged on. (This encouraged them to log off when they stepped away from the console).
Don Imbriale >-----Original Message----- >From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf >Of Pommier, Rex R. >Sent: Tuesday, May 02, 2006 3:54 PM >To: [email protected] >Subject: Re: Securing consoles > >Hi Tim. > >Good questions/comments. > >I would actually want them logging on to do their work. The area >management is planning on moving the consoles to is (as far as I'm >concerned) an unsecured area. People come into and out of this area on >a regular basis with nobody seeing them. The idea mgmt has is that the >operator will always be there so it will be secure, but we have 1 >operator per shift and the printers and tape drives (not robotic) are >located in the computer room so the operator will often be away from the >console. > >As far as the operator issuing meaningless commands once in a while, >that's OK because that means they're at the console. My biggest concern >is when they're away from them that somebody could come in and cause >considerable damage while they're unattended. That's why I am asking >about the auto-logoff. I am OK with them even using a single ID for >everybody. > >Rex > >-----Original Message----- >From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On >Behalf Of Tim Hare >Sent: Tuesday, May 02, 2006 2:32 PM >To: [email protected] >Subject: Re: Securing consoles > > >Do you actually have to have someone log on, or do you just need an ID >for >each console, so that secured commands work and you can audit where they > >came from? > >We used the DEFAULT LOGON(AUTO) so that each console logs on with a user > >ID equal to the console name. We did this for the reasons you stated - >we >figured the operators would log on once, anyway, and never log off. >Even >if they do log on and off, they will probably share IDs and passwords - >anything to "get the job done". So, the closest we could come to >identifying the operator(s) that issued particular commands would be to >know which console issued it, and what operators were in that physical >area at the time (via door lock logs or whatever). > >The IDs are defined as "protected" in RACF so no one can log on with >them >via the usual methofs. They are also in a RACF group (imaginatively >named >OPCONSOL) so we can, if we wish, grant access to all the consoles at >once. > >I didn't see a timeout value in the Quick-reference summary of the >Init&Tuning info - but suspect that operators would find a way to keep >the >ID active by issuing meaningless commands once in a while. *********************************************************************** Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. *********************************************************************** ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
