Hello,
I read this in the JES2 Initialization and Tuning Guide.
Before JES2 completes a request for a resource from a user, JES2 requests authorization from SAF. SAF passes
the request to RACF which determines the authority based on the existing profiles. If RACF is not active or
cannot determine the authorization for a resource, JES2 carries out its own security processing, if any, for
that resource. The z/OS Security Server RACF Security Administrator's Guide has additional information
about profiles and access.
JES2 has a number of JES2 initialization statement parameters and installation exits that you can use to protect JES2. Some of the resources that you can protect using JES2-provided facilities include:
- NJE communication lines
- RJE communication lines
- Remote workstation SIGNON/LOGON
- VTAM® sessions
- Commands
Operation command protection mechanisms can be:
Console authorities
JES2 HASPPARM authorities
OPERCMDS profiles
FACILITY CSV‐prefixed profiles
To prevent unauthorized access I would suggest that your security administrator defines the needed rules in the OPERCMDS class.
Check this article: https://www.ibm.com/docs/en/zos/2.3.0?topic=security-authorizing-use-operator-commands
Hope this helps.
Bobby
------------------------------
Bobby Borisov
------------------------------
Original Message:
Sent: Thu January 18, 2024 09:01 PM
From: LIAN CHENG DENG
Subject: OPERCMDS profile definition
Dear support,
it's about a RACF question. as we know that JES2 and MVS command can be protected by OPERCMDS class. my question is if we don't define any profile prefixed with JES2.*, why TSO user still have authorization to submit the JES2 command? is it the default access option to control the protection in the OPERCMDS? thanks!
------------------------------
LIAN CHENG DENG
------------------------------