Security considerations for the VARY command

You can restrict access to the VARY TCPIP command by defining RACF® profiles under the OPERCMDS class and specifying the list of users that are authorized to issue the VARY TCPIP command. You can decide on the level of control that is appropriate for your installation. For example, you might want to allow a user to be able to start or stop a TCP/IP device using the VARY TCPIP command but you do not want the user to be able to modify the TCP/IP configuration.

The RACF profile names that restrict access to each of the VARY TCPIP commands are listed under each command's usage notes. You can use the control statements in the sample JCL job that is provided in SEZAINST(EZARACF) to define these profile names.

Requirement: CONTROL access to each profile is required to enable you to issue the VARY TCPIP command.

To restrict all of the VARY TCPIP commands, you can define a generic profile as follows: 
RDEFINE OPERCMDS (MVS.VARY.TCPIP.**) UACC(NONE)           
PERMIT MVS.VARY.TCPIP.** ACCESS(CONTROL) CLASS(OPERCMDS)
   ID(USER1)
In this example, only user ID USER1 is allowed to issue any VARY TCPIP operator commands. In another example, if you wanted to restrict usage of the VARY TCPIP,,OBEYFILE command to user ID USER2 you could make the following definitions: 
RDEFINE OPERCMDS MVS.VARY.TCPIP.OBEYFILE UACC(NONE)
PERMIT MVS.VARY.TCPIP.OBEYFILE ACCESS(CONTROL)     
   CLASS(OPERCMDS) ID(USER2)
Note: If you want to restrict the use of the VARY TCPIP,,OBEYFILE command, you must issue RDEFINE OPERCMDS for MVS™.VARY.TCPIP and MVS.VARY.TCPIP.OBEYFILE, and issue a subsequent PERMIT defining the specified ID that will have an ACCESS of at least CONTROL for the OPERCMDS class.
The RACF OPERCMDS class must be activated for any of these profiles to take effect. You must also ensure that the appropriate RACF options are specified to enable you to define generic RACF profiles for these profiles. This can be accomplished by the following RACF commands: 
SETR CLASSACT(OPERCMDS)
SETR GENERIC(OPERCMDS) 
SETR GENCMD(OPERCMDS)  
SETR RACLIST(OPERCMDS)
Before the profiles take effect, a refresh of these RACF profiles might be required. This can be accomplished by the following RACF commands: 
SETR GENERIC(OPERCMDS) REFRESH
SETR RACLIST(OPERCMDS) REFRESH
Parent topic: VARY TCPIP command