Access to spool files

You can access and manage permissions for all spool files through Job Monitor.

By default, you have browse access to all spool files through Job Monitor. You can change this with the LIMIT_VIEW directive, as documented in Job Monitor configuration file BLZJCNFG.

Table 1. Job Monitor browse permission matrix.

Job Monitor browse permissions

  Job owner
USERID Allowed Not allowed
NOLIMIT (default) Allowed Allowed if permitted by security profiles, or when the JESSPOOL class is not active.

To limit users to their own jobs on the JES spool, define the LIMIT_VIEW=USERID statement in the Job Monitor configuration file BLZJCNFG. If they need access to a wider range of jobs, but not to all jobs, use the standard spool file protection features of your security product, like the JESSPOOL class.

When defining further protection, remember that Job Monitor uses SAPI (SYSOUT application program interface) to access the spool. This means that the user needs at least UPDATE access to the spool files, even for browsing. This requisite does not apply if you run z/OS® 1.7 (z/OS 1.8 for JES3) or higher. Here, READ permission is sufficient for browsing.

Refer to Security Server RACF® Security Administrator's Guide (SA22-7683) for more information about JES spool file protection.

video icon Video channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community forums library

support icon Support

IBM Support Community
Deployment wiki