There are users that use USS (Unix System Services) via TWS connections that should not be allowed to enter into ISHELL. How do you prevent this with Top Secret?
There is no obvious way to protect "ishell", because no security call is made from the operating system for users who are allowed to use OMVS and are defined as a UNIX user. However, you can use the PDS member level protection in the following way:
TSS MODI PDSPROT(ON)
TSS MODI PDSPROT(ADD,DSN(your.CLIST),CLASS(PDSMEM2))
TSS ADD(owner#) PDSMEM(BPXWIRAC)
"your.CLIST" must contains the TSSWIRAC renamed BPXWIRAC.
PDSMEM2 is intentionally used to distinguish from PDSMEM1 if it is already in use. But, there is not a restriction to use PDSMEM1 class as well.
Any user not permitted to read BPXWIRAC won't be able to use "ishell".
You can do:
TSS PER(ALL) PDSMEM2(BPXWIRAC) ACCESS(READ)
TSS PER(acid) PDSMEM2(BPXWIRAC) ACCESS(NONE)
acid could be a user type or profile type acid. If it is a profile you have to add it to any unix user not allowed to use ishell.
This way any unix user will access to ishell, only the specific ones or the ones connected to the permitted profile won't be allow to use ishell.