How does TSO Command Limiting in ACF2 make an environment more secure? Will restricting TSO commands prevent a program from being executed in batch (via PGM=)?

TSO Command Limiting can aide in securing commands that are issued under TSO Ready mode, ISPF, or batch jobs that use the TSO command processor. While every environment's needs are different, one reason to use TSO Command Limiting is to restrict privileged logonids to specific TSO functions. In this way it narrows the scope of what TSO commands a privileged user can do in TSO.

TSO Command Limiting will not stop a program from executing in batch. Depending on the use case, the program could be added to the Protected Program List (PPGM) so it can only be executed by privileged users, or SAF Program Validation can be used to allow more granularity.

For more information, please see the following ACF2 documentation sections:

Restricting TSO Commands

Protected Program List (PPGM)

SAF Program Validation