IBM OS/390 User Manual
You may choose to assign account numbers to your users for accounting or
other purposes. This account number can be from 1-40 alphameric characters,
not containing a blank, tab, quotation mark, apostrophe, comma, semicolon, or
line control character. You use the RACF ACCTNUM resource class to authorize
use of account numbers. Please refer to the
other purposes. This account number can be from 1-40 alphameric characters,
not containing a blank, tab, quotation mark, apostrophe, comma, semicolon, or
line control character. You use the RACF ACCTNUM resource class to authorize
use of account numbers. Please refer to the
TSO/E Customization book or the
RACF Security Administrator
′
s Guide for more details on account numbers.
TSO/E allows you to specify the authority to use or a restriction against using the
ACCOUNT, OPERATOR, SUBMIT, STATUS, CANCEL, and OUTPUT commands by
defining resource profiles in RACF
ACCOUNT, OPERATOR, SUBMIT, STATUS, CANCEL, and OUTPUT commands by
defining resource profiles in RACF
′
s TSOAUTH resource class. Again,
TSO/E
Customization and the RACF Security Administrator
′
s Guide have more
information on this topic.
You use commands similar to the following to create a TSO/E user with roughly
the capabilities of the ICCF System Administrator. You issue the RDEFINE
command only once, and for subsequent users you add you do not need the
RDEFINE.
the capabilities of the ICCF System Administrator. You issue the RDEFINE
command only once, and for subsequent users you add you do not need the
RDEFINE.
ADDUSER AAAA PASSWORD(secret) SPECIAL
ALTUSER AAAA TSO(PROC(LOGROUT))
RDEFINE TSOAUTH (ACCT JCL OPER MOUNT PARMLIB) UACC(NONE)
PERMIT ACCT
ALTUSER AAAA TSO(PROC(LOGROUT))
RDEFINE TSOAUTH (ACCT JCL OPER MOUNT PARMLIB) UACC(NONE)
PERMIT ACCT
CLASS(TSOAUTH) ID(AAAA) ACCESS(READ)
PERMIT JCL
CLASS(TSOAUTH) ID(AAAA) ACCESS(READ)
PERMIT OPER
CLASS(TSOAUTH) ID(AAAA) ACCESS(READ)
PERMIT MOUNT
CLASS(TSOAUTH) ID(AAAA) ACCESS(READ)
PERMIT PARMLIB CLASS(TSOAUTH) ID(AAAA) ACCESS(READ)
Of course, AAAA will not normally need authority to use the ACCOUNT
command (ACCT resource in the TSOAUTH class) but it does not hurt for AAAA
to have this authority and it may prove helpful at some time. As an
administrator, though, AAAA could give himself this authority. You might also
wish to choose different
command (ACCT resource in the TSOAUTH class) but it does not hurt for AAAA
to have this authority and it may prove helpful at some time. As an
administrator, though, AAAA could give himself this authority. You might also
wish to choose different
″
universal access
″
rules (UACC) for the JCL resource,
which gives the ability to submit batch jobs. Often all users can submit batch
jobs, and you would assign a UACC of READ to cover this situation.
jobs, and you would assign a UACC of READ to cover this situation.
In this example, TSO/E user AAAA with password
″
secret
″
uses a LOGON
procedure named LOGROUT. He has no default account number, and TSO/E
does not check authority to use account numbers until you configure the RACF
ACCTNUM class. AAAA has authority to use the ACCOUNT command (ACCT),
the OPERATOR command (OPER), and the SUBMIT, STATUS, CANCEL, and
OUTPUT commands (JCL). He is also able to request volume mounts as
necessary. In addition, AAAA has authority to tell TSO/E, via the PARMLIB
command, to change its configuration parameters. TSO/E will normally use the
parameters contained in member IKJTSO00 in partitioned data set
SYS1.PARMLIB. After a change to this member, the TSO/E PARMLIB command
will tell TSO/E to use the new parameters without requiring a system IPL.
does not check authority to use account numbers until you configure the RACF
ACCTNUM class. AAAA has authority to use the ACCOUNT command (ACCT),
the OPERATOR command (OPER), and the SUBMIT, STATUS, CANCEL, and
OUTPUT commands (JCL). He is also able to request volume mounts as
necessary. In addition, AAAA has authority to tell TSO/E, via the PARMLIB
command, to change its configuration parameters. TSO/E will normally use the
parameters contained in member IKJTSO00 in partitioned data set
SYS1.PARMLIB. After a change to this member, the TSO/E PARMLIB command
will tell TSO/E to use the new parameters without requiring a system IPL.
A terminal user who will be using TSO/E for application development will also
have a user profile. However, such a user would probably not have authorization
to use the ACCOUNT or OPERATOR commands, nor would he be authorized to
request volume mounts.
have a user profile. However, such a user would probably not have authorization
to use the ACCOUNT or OPERATOR commands, nor would he be authorized to
request volume mounts.
The TSO/E Information Center Facility (ICF) provides an ENROLL facility for the
TSO/E administrator. This facility will add TSO/E users to RACF or UADS (the
administrator
TSO/E administrator. This facility will add TSO/E users to RACF or UADS (the
administrator
′
s choice) as well as performing other necessary tasks.
156
VSE to OS/390 Migration Workbook