TSO CONSOLE command Authority
Robert Zenuk
CONSOLE feature to issue MVS commands and capture the results. I have
actually used this successfully in some shops. I am now doing some work in a
new shop that does not have the security set up for this. I have tried to
look in the TSO and RACF books and maybe I'm blind, but I can't find it.
Can someone please send me an explicit page reference or sample RACF
statements to accomplish this?
If anyone has this for Top Secret as well, that also would be greatly
appreciated. While we're at it let's round out the field and ask for ACF2 as
well.
Thanks,
Robert Zenuk
robz...@aol.com
Ben Cowan
a Rexx exec, since I tend to forget things...
RACF ONLY:
/*-------------------------------------------------------------------*/
/* Setup a user with MCS Console Authority */
/*-------------------------------------------------------------------*/
"ALTUSER whoever OPERPARM(AUTH(MASTER))"
"SETROPTS RACLIST(OPERCMDS) REFRESH"
"PERMIT CONSOLE CLASS(TSOAUTH) ID(whoever) ACCESS(READ)"
"SETROPTS RACLIST(TSOAUTH) REFRESH"
Robert Zenuk
I get the following results when I run the EXEC with a trace:
5 *-* arg id
>>> "RZENUK"
6 *-* "ALTUSER" id "OPERPARM(AUTH(MASTER))"
>L> "ALTUSER"
>V> "RZENUK"
>O> "ALTUSER RZENUK"
>L> "OPERPARM(AUTH(MASTER))"
>O> "ALTUSER RZENUK OPERPARM(AUTH(MASTER))"
7 *-* "SETROPTS RACLIST(OPERCMDS) REFRESH"
>L> "SETROPTS RACLIST(OPERCMDS) REFRESH"
8 *-* "PERMIT CONSOLE CLASS(TSOAUTH) ID("id") ACCESS(READ)"
>L> "PERMIT CONSOLE CLASS(TSOAUTH) ID("
>V> "RZENUK"
>O> "PERMIT CONSOLE CLASS(TSOAUTH) ID(RZENUK"
>L> ") ACCESS(READ)"
>O> "PERMIT CONSOLE CLASS(TSOAUTH) ID(RZENUK) ACCESS(READ)"
ICH06004I CONSOLE NOT DEFINED TO RACF
+++ RC(8) +++
9 *-* "SETROPTS RACLIST(TSOAUTH) REFRESH"
>L> "SETROPTS RACLIST(TSOAUTH) REFRESH"
***
These are the active classes from SETROPTS:
ACTIVE CLASSES = DATASET USER GROUP FACILITY TSOPROC ACCTNUM TSOAUTH OPERCMDS
CONSOLE SURROGAT STARTED
Is there anything else I need to do? Is this off topic?
In a message dated 02/07/2001 9:32:15 AM US Mountain Standard Time,
bco...@NEVADA.EDU writes:
> /*-------------------------------------------------------------------*/
> /* Setup a user with MCS Console Authority */
> /*-------------------------------------------------------------------*/
> "ALTUSER whoever OPERPARM(AUTH(MASTER))"
> "SETROPTS RACLIST(OPERCMDS) REFRESH"
> "PERMIT CONSOLE CLASS(TSOAUTH) ID(whoever) ACCESS(READ)"
> "SETROPTS RACLIST(TSOAUTH) REFRESH"
Thanks,
Robert Zenuk
robz...@aol.com
Itschak Mugzach
UACC(NONE)
Robert Zenuk
Refreshed with: SETROPTS RACLIST(TSOAUTH) REFRESH
RLIST TSOAUTH CONSOLE shows:
CLASS NAME
----- ----
TSOAUTH CONSOLE
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 SYS1 READ READ NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
NONE
AUDITING
--------
FAILURES(READ)
NOTIFY
------
NO USER TO BE NOTIFIED
I signed off and on and still received:
IKJ55305I USER RZENUK DOES NOT HAVE CONSOLE COMMAND AUTHORITY.
when I try to issue a CONSOLE command.
In a message dated 02/07/2001 12:01:47 PM US Mountain Standard Time,
i_mu...@SECURITEAM.CO.IL writes:
> RLIST CONSOLE CLASS(TSOAUTH)
> UACC(NONE)
Thanks,
Robert Zenuk
Ben Cowan
the RDEFINE had not yet been done?
Tony Harminc
> There have been many wonderful examples on this list on how to use the
> TSO CONSOLE feature to issue MVS commands and capture the results. I
> have actually used this successfully in some shops. I am now doing
> some work in a new shop that does not have the security set up for
> this. I have tried to look in the TSO and RACF books and maybe I'm
> blind, but I can't find it.
Something else to keep in mind is that a UADS-using shop can enable
CONSOLE usage by setting a magic bit in the PSCB.
I found it works fine to just edit your UADS entry with ISPF, and
carefully turn on the X'01' bit in the byte at offset decimal 16 (0
origin). This is the same byte that contains the OPER, ACCOUNT, and
JCL authorization, so its value will vary from one userid to another.
Just OR in the X'01' using the change command (don't overtype the
line because the 3270 will mess up the various non-display bytes).
The target userid has to be logged off at the time or else the UADS
entry will be refreshed from the PSCB and the change will be lost.
Alternatively one could write a little APF program to turn on the
PSCB bit, and then at logoff it would be written to UADS.
Tony H.
Robert Zenuk
arg id
/*"RDEF TSOAUTH CONSOLE UACC(READ)"*/
"ALTUSER" id "OPERPARM(AUTH(MASTER))"
"SETROPTS RACLIST(OPERCMDS) REFRESH"
"PERMIT CONSOLE CLASS(TSOAUTH) ID("id") ACCESS(READ)"
"SETROPTS RACLIST(TSOAUTH) REFRESH"
and still had the same problem...
IKJ55305I USER RZENUK DOES NOT HAVE CONSOLE COMMAND AUTHORITY.
Thanks,
Robert Zenuk
robz...@aol.com
Seibert, Dave
It just doesn't like you.
Have you had any unpleasant personal experiences with ACF2? Top-Secret?
These security packages are known to be very sensitive and I hear they ALL
talk to one another.
Perhaps you could fool it with another Userid?
Be careful out there.
David Seibert
Itschak Mugzach
Itschak Mugzach, Manager
Large systems support (OS/390)
ISRACARD (Mastercard) Ltd
Telephoen: +972-3-6895885
celualr +972-52-986404
reply to imug...@isracard.co.il
> -----Original Message-----
> From: Robert Zenuk [SMTP:Robz...@AOL.COM]
> Sent: ה פברואר 08 2001 2:00
> To: TSO-...@VM.MARIST.EDU
> Subject: Re: TSO CONSOLE command Authority
>
Robert Zenuk
Mom, RACF is picking on me again....
Thanks,
Robert Zenuk
robz...@aol.com
James Melin
entrered to change authorities but in-memory tables had to be rebuilt
before the changes were 'recognized' by the system. PErhaps something like
that has to be done for RACF?