My $0.02:
I always use MVS.MSCOPER.&RACUID*/READ in the GAT.
Many years ago I've found some presentation where it was explained the
console name is no longer relevant for security.
Note, the above does not mean *any name*, it is JOHN1, or JOHNABC name
(assuming JOHN is the userid). What risk?
IMHO the CONSOLE class nowadays is rarely useful, except
"WHEN(CONSOLE(SDSF))" in OPERCMDS profiles.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 03.07.2025 o 09:26, Colin Paice pisze:
Jon,
My question was about the use of console-names, and giving end users access
to them.
Is there a better way of controlling which console-names can be used, that
the MVS.MSCOPER.&RACUID*/READ profile?
Colin
On Wed, 2 Jul 2025 at 23:29, Jon Perryman <[email protected]> wrote:
On Wed, 2 Jul 2025 13:41:54 +0100, Colin Paice <[email protected]>
wrote:
COLINX 00000290 CANCEL AAAA
TSU03273 00000090 IEE341I AAAA NOT ACTIVE
There is no * on the front of my console-name
An * (asterisk) in the first byte of syslog lines (in this case before
console name) should identify a WTOR. Is this referring to something else?
I like your profile MVS.MSCOPER.&RACUID*/READ I haven't used that before
... I'll add it to my list of useful commands.
To me, this is a very bad idea. You've opened the first permission in
multi-permission system command protection. Maybe there is a typo in a
subsequent profile. Maybe insufficient testing. New commands weren't
considered in the security design. Is it really so difficult to create a
group with read access for something so powerful?
----------------------------------------------------------------------
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
