It is important to ensure that your TSO resources on the mainframe are secured. The following table contains the list of RACF classes and corresponding profiles available to protect TSO resources:
| RACF class name | Profile name | Resource protected |
|---|---|---|
| TSOPROC | procedure name | Logon procedure |
| ACCTNUM | account number | Account number for TSO/E session |
| PERFGRP | performance group | Performance group for TSO/E session |
| TSOAUTH | ACCT | ACCOUNT, SYNC, and RACONVRT commands |
| JCL | SUBMIT, CANCEL, OUTPUT, and STATUS commands | |
| MOUNT | Allows the user to issue dynamic allocation requests that result in the need for volume mounting | |
| OPER | OPERATOR command | |
| RECOVER | EDIT command recovery facility | |
| PARMLIB | PARMLIB command (READ access for LIST, UPDATE access for UPDATE) | |
| TESTAUTH | TESTAUTH command | |
| CONSOLE | CONSOLE and CONSPROF commands |
Some considerations regarding RACF class TSOAUTH:
- Access level READ permits use whilst UPDATE permits PARMLIB update
- User must have SPECIAL authority to execute RACNVRT; otherwise, needs access to ACCT profile
- To be able to issue the CONSOLE command access to profile MVS.MCSOPER.userid in RACF class OPERCMDS is also required
- All users typically require access to profiles JCL and RECOVER
- Number of users with access to the MOUNT profile should be limited
- Avoid coding profiles ACCOUNT and OPERATOR as they are not substitutes for ACCT and OPER
- Restrict access to ACCT, CONSOLE, OPER, and PARMLIB profiles
- Avoid providing access to profile TESTAUTH
Be the first to comment