I think that the original intent was to stop OPERATOR from messing with its own console log, not some other user's. That is even more restrictive. At the very least, all SET SECUSER, even Class G, will have to be disabled on OPERATOR. There are probably other restrictions.
Maybe you need keystroke loggers and video monitoring, too. :-) Regards, Richard Schuh > > The only way to stop the OPERATOR from messing with a user's > console log is to take away the operator's ability to SEND > commands. That means (a) no class C SEND, and (b) no > privileged SET SECUSER. > > I would suggest the operator shouldn't have class C and that > you change the privclass of class A SET SECUSER to something else. > > RACF will not help you with this unless you simply want to > monitor the use of SEND (any privclass). > > Alan Altmark > z/VM Development > IBM Endicott >
