Protecting TSO resources

You can use RACF® to protect certain TSO resources. These resources include TSO logon procedures, account numbers, and performance groups. In addition, you can protect resources called TSO user authorities, whose settings determine whether a user can issue certain authorized TSO commands. Examples of TSO user authorities include ACCT, JCL, MOUNT, OPER, RECOVER, PARMLIB, TESTAUTH, and CONSOLE. For detailed information about the TSO resources you can protect with RACF, see z/OS TSO/E Customization.

If you are defining TSO segments in user profiles, you must protect these TSO resources, using the following general resource classes:
  • TSOPROC (for protecting TSO logon procedures)
  • ACCTNUM (for protecting TSO account numbers)
  • PERFGRP (for protecting TSO performance groups)
  • TSOAUTH (for protecting TSO user authorities)
The following access authorities apply to these resources:
NONE
No access allowed.
READ
For TSOPROC, ACCTNUM, and PERFGRP, allows users to specify the logon procedure, account number, or performance group when logging on.

For TSOAUTH, gives the user the authority to issue the associated authorized TSO command.

For PARMLIB, allows the user to issue the PARMLIB LIST command.

For TESTAUTH, allows the user to invoke a program in authorized state.

UPDATE
For PARMLIB, allows the user to issue the PARMLIB UPDATE command. For the other profiles, UPDATE is the same as READ.
CONTROL
Same as READ.
ALTER
Allows users to change the profile, if the profile is discrete.
To control the use of TSO resources, issue RACF commands in the following sequence:
  1. Activate the TSO general resource classes:
    SETROPTS CLASSACT(TSOPROC ACCTNUM PERFGRP TSOAUTH)
    Considerations when activating the TSO resource classes: Assume that you have defined a user profile for user SMITH that contains a TSO segment.
    • If you do not activate the TSOPROC and ACCTNUM classes, user SMITH cannot log on to TSO because RACF cannot check SMITH's authority to use the logon procedure and account number specified on the logon panel. TSOPROC and ACCTNUM must be active so that users whose profiles contain TSO segments can log on to TSO.
    • If you do not activate the PERFGRP class and user SMITH specifies a performance group on the logon panel, SMITH cannot log on to TSO because RACF cannot check SMITH's authority to access the specified performance group. However, SMITH can log on to TSO when the performance group is deleted from the logon panel. Activate the PERFGRP class if your installation intends to use TSO performance groups.
    • If you do not activate the TSOAUTH class, user SMITH can log on to TSO but will not have any assigned TSO user authorities such as JCL or MOUNT. Activate the TSOAUTH class and give SMITH READ access authority to the appropriate resources in the TSOAUTH class if your installation is specifying user authorities when defining users to the system.
  2. Create profiles to protect TSO resources. The following example shows how to define logon procedure LOGPROC1 to the TSOPROC resource class and assign it a UACC of READ. (A UACC of READ grants all users the ability to use the logon procedure.)
    RDEFINE TSOPROC LOGPROC1 UACC(READ)
    To protect a TSO resource so that a limited number of users can access it, you can define it and specify a UACC of NONE. Then you can create an access list containing only those users who require access to the resource. The following example shows how to define a logon procedure, LOGPROC2, in the TSOPROC resource class and protect it with a UACC of NONE.
    RDEFINE TSOPROC LOGPROC2 UACC(NONE)
    Considerations for creating profiles for TSO resources:
    • For the TSOPROC class, the profile name must be the name of the logon procedure itself (no generic characters are allowed).
    • For the ACCTNUM class, the profile name can be up to 39 characters long.

      You should create at least one profile in the ACCTNUM class.

      If you want a particular user to log on without an account number, you must ensure that the user has no access to any ACCTNUM profile. This means that you cannot specify UACC(READ) for any ACCTNUM profile. Also, a user can have access to an ACCTNUM profile by means of a connect group. If a user has access to one or more account numbers, the first such account number that RACF encounters when searching the RACF database becomes that user's default account number and is saved in the TSO segment of the user's profile. You can find out which account number is used by issuing the following command:
      SEARCH CLASS(ACCTNUM) USER(userid)
      The first account number listed is used. For example, you if you want to allow only two account numbers, D1001 and D1002, and you want to ensure that users log on with at least one of them, create the following profiles:
      RDEFINE ACCTNUM D1001 UACC(READ)
      RDEFINE ACCTNUM D1002 UACC(READ)
      RDEFINE ACCTNUM ** UACC(NONE)
      Note: Because of the order in which RACF searches the RACF database, account number D1001 is the default assigned to any user who logs on with a blank account number. To determine the search order in which profiles are used, issue SEARCH or RLIST command for the class. For example:
      SEARCH CLASS(ACCTNUM)
    • For the PERFGRP class, the profile name must be the number of the performance group itself (no generic characters are allowed).
    • For the TSOAUTH class, you should consider creating discrete profiles for each TSO attribute. The following examples assume that only a few users should be able to request mounts, but that every user (except those specifically disallowed) should be able to submit batch jobs:
      RDEFINE TSOAUTH MOUNT UACC(NONE)
      RDEFINE TSOAUTH JCL UACC(READ)
  3. Use the PERMIT command to allow users and groups to use the TSO resources. The following example shows how to allow users USERA and USERB to specify logon procedure LOGPROC2 when they log on using TSO:
    PERMIT LOGPROC2 CLASS(TSOPROC) ID(USERA USERB) ACCESS(READ)
  4. Activate SETROPTS RACLIST processing for the TSO general resource classes:
    SETROPTS RACLIST(TSOPROC ACCTNUM PERFGRP TSOAUTH)

    For more information on SETROPTS RACLIST processing, see SETROPTS options to activate in-storage profile processing.

    Note: If SETROPTS RACLIST processing is already activated for the TSO general resource classes, you must refresh SETROPTS RACLIST processing:
    SETROPTS RACLIST(TSOPROC ACCTNUM PERFGRP TSOAUTH) REFRESH

    For more information on refreshing SETROPTS RACLIST processing, see Refreshing profiles for SETROPTS RACLIST processing.