Description:
With Top Secret active, a console that has AUTH(INFO) in SYS1.PARMLIB(CONSOLExx) allows commands to be issued.
Without Top Secret active, it only shows information, as desired.
When a console is not signed on, it runs with *BYPASS* ACID, which makes Top Secret reply with a RC=0000 (authorized) for any request from the console.
When RC is 0000, z/OS doesn't check AUTH, like the request has been validated by an external security package.
To prevent the *BYPASS* acid from being used, signon an acid to the CONSOLE having the CONSOLE facility with no other rights or permissions.
There are different situations to look at:
The bottom line is when an OPERCMDS resource is not defined to Top Secret, (ie not owned by Top Secret ADD command), Top Secret returns a RC=0004 to the 'CONSOLE' then AUTH() is checked and honored by 'CONSOLE'.
So, every time a command is entered at the console, a security check is issued. Depending on RC, here is what happens:
Example:
OPERCMDS(MVS.ACTIVATE) is owned.
If the console ACID is permitted to access to OPERCMDS(MVS.ACTIVATE), Top Secret will return RC=0000 and z/OS command will be accepted and executed regardless AUTH() parameter.
If console acid is not permitted and is in FAIL mode, Top Secret will return RC=0008 and z/OS command will be denied regardless AUTH() parameter.
If you remove ownership of OPERCMDS(MVS.ACTIVATE), Top Secret will return RC=0004 and the z/OS command won't be accepted and won't be executed due to AUTHINFO.