SYS1.UADS is the default dataset listing users that are allowed to use TSO/E [1]. Most sites that have RACF or other security products installed use those products to maintain their TSO/E logon information [2]. For a first time installation of RACF, IBM provides a command called RACONVRT to move users from SYS1.UADS to the RACF database [3]. Before you do this, RACF must be set up to protect TSO resources [4]. Once your site is using RACF to manage TSO users (or if your site is already using it). You can define specific logon procedures for specific users, and allow or disallow users to use certain logon procedures.
Logon procedures:
Say we have a given logon procedure we would like to define, TSLOGP in SYS2.PROCLIB.
At minimum, a logon procedure must have a terminal monitor program (TMP) which is a program that allows a user session to communicate with TSO/E [5]. You may be familiar with the IKJEFT01, IKJEFT1A, and IKJEFT1B TMPs, which can also be used with a JCL job to run commands that you might typically enter in your session in an environment outside of your session- this can keep your screen free so you can keep working if it’s a command that will take a long time to execute.
Let’s assume the SYS2.PROCLIB(TSLOGP) procedure looks something like this:
//TSLOGP EXEC PGM=IKJEFT01,DYNAMNBR=20
//SYSIN DD TERM=TS
//SYSPRINT DD TERM=TS
This is a minimal logon procedure [6], it does not define things such as ISPF panels, or other macros or software products. With this logon procedure a user will be limited to working directly from TSO/E. Like a the name of a job in the job card, the first //TSLOGP is the name of our procedure. We are executing IKJEFT01, and the SYSIN and SYSPRINT DDs are both set to the users terminal session. This allows us to enter TSO commands to IKJEFT01 and for it to return the output to our terminal. The DYMAMNBR param refers to how many datasets you can dynamically allocate at the name time [6]. This means datasets that are allocated with the TSO ALLOC command, for example.
Defining logon procedures to RACF and permitting their use:
- RDEFINE TSOPROC <your proc name> UACC(NONE) or UACC(READ) – if you want everyone to be able to use it
- PERMIT <your proc name> CLASS(TSOPROC) ID(<your id>) ACCESS(READ) – if you defined it as UACC none
- SETROPTS RACLIST(TSOPROC) REFRESH – to refresh TSOPROC. You should now be able to logon with your new procedure.
Resources:
[1] IBM – Content and structure of the UADS
[2] IBM – Using the RACF data base to maintain TSO/E users
[3] IBM – Using the RACONVRT command
[4] IBM – Protecting TSO resources
[5] IBM – Executing the terminal monitor program
[6] IBM – Writing a logon procedure
Return 16 
Leave a comment