Jon, My question was about the use of console-names, and giving end users access to them. Is there a better way of controlling which console-names can be used, that the MVS.MSCOPER.&RACUID*/READ profile?
Colin On Wed, 2 Jul 2025 at 23:29, Jon Perryman <[email protected]> wrote: > On Wed, 2 Jul 2025 13:41:54 +0100, Colin Paice <[email protected]> > wrote: > > > COLINX 00000290 CANCEL AAAA > > TSU03273 00000090 IEE341I AAAA NOT ACTIVE > >There is no * on the front of my console-name > > An * (asterisk) in the first byte of syslog lines (in this case before > console name) should identify a WTOR. Is this referring to something else? > > >I like your profile MVS.MSCOPER.&RACUID*/READ I haven't used that before > >... I'll add it to my list of useful commands. > > To me, this is a very bad idea. You've opened the first permission in > multi-permission system command protection. Maybe there is a typo in a > subsequent profile. Maybe insufficient testing. New commands weren't > considered in the security design. Is it really so difficult to create a > group with read access for something so powerful? > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
