Conditional access processing

RACF can give you a greater authority to access resources if that user is signed on at a particular terminal or console. This is called conditional access processing.

You grant conditional access to a resource by adding
WHEN(TERMINAL(netname))
or
WHEN(CONSOLE(console-name))
to the PERMIT command.
The following example allows members of the PAYROLL group to read the SALARY file wherever they are signed on. They would be able to update it only from the terminal with netname PAY001, by issuing the following commands:
RDEFINE FCICSFCT SALARY UACC(NONE)
PERMIT SALARY CLASS(FCICSFCT) ID(PAYROLL) ACCESS(READ)
PERMIT SALARY CLASS(FCICSFCT) ID(PAYROLL)
       (WHEN(TERMINAL(PAY001)) ACCESS(UPDATE) 
To allow members of the operations group OPS to be able to use the CEMT transaction only from the console names MVS1MAST, issue the following command:
RDEFINE TCICSTRN CEMT UACC(NONE)
PERMIT CEMT CLASS(TCICSTRN) ID(OPS) WHEN(CONSOLE(MVS1MAST)) AC(READ)
Note:
  1. The CONSOLE class must be active before CONSOLE conditional access lists can be used.
  2. Conditional access lists may only increase authority and not decrease it.

    For other considerations on conditional access lists see, the z/OS Security Server RACF Security Administrator's Guide.