MSO Console Security

The descriptions of configuration file records for MSO Console security assume that standard command authority assignments are in effect. These may be changed by customizing SSCONSEC, the MSO Console command security table. This customization allows commands to be moved from one authorization class to another. SSCONSEC is discussed in The MSO Console.

CONSEC = {INTERNAL|EXTERNAL}

where:

INTERNAL

Allows you to define security rules using the CONSOPER, CONSDTL and CONSUSER configuration statements.

EXTERNAL

Allows the MSO Console to use external SAF-based security. EXTERNAL may only be specified when EXTSEC = YES is specified.

APF authorization is required for EXTERNAL only.

Default: INTERNAL

CONSOPER = userid1,userid2...

where:

userid1,userid2...

Specifies the list of userids that may issue commands from the MSO Console which alter the behavior of MSO or MSO users. This is applicable only if CONSEC is set to INTERNAL. Wildcards using '*' and '?' are permitted. Multiple records may be present if the userid list does not fit on a single line. Blank spaces are not allowed in the list of userids.

APF authorization is not required.

Default: None

CONSDTL = userid1,userid2...

where:

userid1,userid2...

Specifies the list of userids that may see detailed information from other MSO user's sessions (files allocated, screen contents, current statement being executed, etc.). This is applicable only if CONSEC is set to INTERNAL. Wildcards using '*' and '?' are permitted. Multiple records may be present if the userid list does not fit on a single line. Blank spaces are not allowed in the list of userids.

APF authorization is not required.

Default: None

CONSUSER = userid1,userid2...

where:

userid1,userid2...

Specifies the list of userids that are permitted to logon to MSO Console. If a userid appeared in the CONSOPER or CONSDTL statement it is already authorized to logon to Console and need not be specified here. This is applicable only if CONSEC is set to INTERNAL. Wildcards using '*' and '?' are permitted. Multiple records may be present if the userid list does not fit on a single line. Blank spaces are not allowed in the list of userids.

APF authorization is not required.

Default: None

CONSCLASS = classname

where:

classname

Specifies the name of the resource class that is specified to SAF for authorization checking. Users must have READ access to this resource class and the appropriate entity name in order to access MSO Console. This is applicable only if CONSEC is set to EXTERNAL.

APF authorization is required.

Default: FACILITY

CONSENTL = entity-name

where:

entity-name

Specifies the entity name that will be specified to SAF, in conjunction with the resource class specified in CONCLASS, in order to validate logon access to MSO Console. This is applicable only if CONSEC is set to EXTERNAL.

APF authorization is required.

Default: IBI.CONSOLE.LOGON

CONSENTO = entity-name

where:

entity-name

Specifies the entity name that will be specified to SAF, in conjunction with the resource class specified in CONCLASS, in order to validate Operator-style command authority (see CONSOPER, above) in MSO Console. This is applicable only if CONSEC is set to EXTERNAL.

APF authorization is required.

Default: IBI.CONSOLE.OPERATOR

CONSENTD = entity-name

where:

entity-name

Specifies the entity name which will be specified to SAF, in conjunction with the resource class specified in CONCLASS, in order to validate authority to see details on other user's sessions (see CONSDTL, above) in MSO Console. This is applicable only if CONSEC is set to EXTERNAL.

APF authorization is required.

Default: IBI.CONSOLE.DETAIL

Information Builders