On Monday, 10/26/2009 at 04:24 EDT, "Schuh, Richard" <rsc...@visa.com> wrote: > I think that the original intent was to stop OPERATOR from messing with its own > console log, not some other user's. That is even more restrictive. At the very > least, all SET SECUSER, even Class G, will have to be disabled on OPERATOR. > There are probably other restrictions.
If you want a user to be unable to muck with his or her own console log, you must move the SPOOL and CONSOLE commands to another privclass and put COMMAND SPOOL CONS START TO <otheruser> in USER DIRECT. Take away class D TRANSFER or use RACF to manage access to <otheruser>'s spool files. In the case of OPERATOR, watch out for OPERATIONS authority - some people naiively give OPERATOR too much authority. Alan Altmark z/VM Development IBM Endicott