Activating the MSO Console requires additional installation steps, which are summarized in Installing MSO. The following is an overview of the installation process. |
In this section: |
In order to activate the MSO Console, the following steps must be performed:
CONSEC = INTERNAL
in the MSO Configuration file, and specify the CONSOPER, CONSDTL, and CONSUSER records as appropriate.
If external security is to be used, specify
CONSEC = EXTERNAL
in the MSO Configuration file, and specify the CONSCLASS, CONSENTO, CONSENTD, and CONSENTL records if the defaults are inappropriate for your site, as described in Security. You must also supply the appropriate access rules in your security system in order to enable access to MSO Console. If external security is used, MSO must be running with EXTSEC = YES specified in the MSO configuration file.
The above configuration file records are described in detail in The MSO Configuration File.
SMFNUM = 0
This allows the display of storage, CPU, and I/O details in the Display Users panel.
The MSO Console provides both authorization levels of security and control of access to the MSO Console.
The MSO Console provides three levels of security: operator, detail, and logon.
Operator authority allows a user to issue MSO operator commands, which affect the region's operation. This includes actual MSO operator commands, as well as operator-style commands from the panels.
Detail authority allows a user to see details on other users, such as their current FOCEXEC, the current screen contents, and which files are allocated to the user.
Logon authority allows a user to log on to the console. Logon authority enables a user to see I/O and CPU statistics, and to see which userids and services are active. Users with logon authority always have detail and operator authority over users who are logged on to MSO with the same userid as their own.
The actual association of a given function with a given level of authority may be tailored by customizing SSCONSEC, as described below.
Internal security is controlled by listing the userids that have access to the console in the MSO configuration file. Wildcards may be used to simplify administration. The CONSOPER, CONSDTL, and CONSUSER records are used for internal security, and are described in The MSO Configuration File.
Note: With internal security, CONSUSER is automatically implied when either CONSOPER or CONSDTL is specified for a userid.
External security is controlled by validating access to the MSO Console through SAF. By default, a resource class of "FACILITY" is used, and the following resource names (also known as entities) are used:
Access |
Entity |
OPERATOR |
IBI.CONSOLE.OPERATOR |
DETAIL |
IBI.CONSOLE.DETAIL |
LOGON |
IBI.CONSOLE.LOGON |
The resource class and/or resource names may be changed by specifying the CONSCLASS, CONSENTO, CONSENTD, and CONSENTL records in the MSO configuration file, if the defaults are not adequate.
When a user attempts to log on to the MSO Console with external security, three calls are made to SAF to validate access: READ access to the LOGON rule, READ access to the DETAIL rule, and READ access to the OPERATOR rule. A user must have LOGON access in order to use the MSO Console.
Following is an example of RACF rules that might be used if the default class and resource names are in effect:
RDEFINE facility ibi.console.logon uacc(read)
RDEFINE facility ibi.console.detail uacc(none)
RDEFINE facility ibi.console.operator uacc(none)
PERMIT ibi.console.operator class(facility) acc(read) id(sys user1)
PERMIT ibi.console.detail class(facility) acc(read) id(sys user2)
The MSO Console divides functions into different classes: Operator, Detail, and User. It also allows certain commands to be executed against a subtask when the userid associated with the subtask is the same as the userid of the MSO Console operator. If desired, you may change the classes to which functions are assigned. These classes are then assigned to users through the MSO configuration file.
The table SSCONSEC contains the association between functions and their classes. Source code for SSCONSEC is found in MSO.DATA(SSCONSEC). As shipped, the table contains the following:
Function |
Operator |
Detail |
User |
Same User |
Issue operator commands |
Yes |
No |
No |
Yes |
View user accounting information |
Yes |
Yes |
Yes |
Yes |
View user's currently-executing command |
No |
Yes |
No |
Yes |
View user's screen |
No |
Yes |
No |
Yes |
View user data set allocations |
No |
Yes |
No |
Yes |
Enter debugger |
Yes |
Yes |
No |
n/a |
View MSO log |
Yes |
Yes |
Yes |
n/a |
Data set browser |
Yes |
Yes |
No |
Yes |
Control traces |
Yes |
No |
No |
No |
To change these associations, edit SSCONSEC as appropriate, and then assemble and link-edit it.
Information Builders |