Preparing the IBM Communications Server › Authorize Product Region Command Access

Authorize Product Region Command Access

Note: If you are using CA ACF2 for z/OS, you do not need to perform this task unless it is set up to protect operator commands.

Your product uses z/OS operator VARY commands to perform some functions. These functions include:

• Packet tracing
• Device activations and deactivations
• Dropping connections
• Verifying Telnet LU status

The user ID associated with your product region must be authorized by your security system to issue these commands. The following OPERCMDS resources require UPDATE access level:

• MVS.VARY.TCPIP.PKTTRACE
• MVS.VARY.TCPIP.OBEYFILE
• MVS.VARY.TCPIP.DROP
• MVS.VARY.TCPIP.TELNET.ACT
• MVS.VARY.TCPIP.TELNET.INACT

Authorize individual users to the OPERCMDS resources if you:

• Plan to configure your system to use SAF user security
• Are using a partial security exit that returns a SAF UTOKEN (for example, NMSAFPX)

Example: Authorization in a CA ACF2 System that Protects Operator Commands

$KEY(MVS) TYPE(OPR)
VARY.TCPIP.- UID(uid_string) SERVICE(UPDATE) ALLOW

Example: Authorization in a CA Top Secret System

TSS PER(XXXXXX) OPERCMD(MVS.VARY.) ACCESS(UPDATE)

Example: Authorization in a RACF System

PE MVS.VARY.TCPIP.* CLASS(OPERCMDS) ID(uuuuuuu) ACCESS(UPDATE)