Actions against jobs: execution limitations

You must have certain security authorizations to perform Job Monitor JES operator commands.
The second phase of JES spool command security, after specifying the permitted targets, includes the permits you need to execute operator commands. This authorization is enforced by the z/OS® and JES security checks.
Note: Show JCL is not an operator command like the other Job Monitor commands (Hold, Release, Cancel, and Purge), so the limitations below do not apply to Show JCL.

Job Monitor issues all JES operator commands that you or another user requests through an extended MCS (EMCS) console, whose name is controlled with the CONSOLE_NAME directive, as documented in Job Monitor configuration file BLZJCNFG.

With this setup, you or the security administrator can define granular command execution permits using the OPERCMDS and CONSOLE classes.

  • To use an EMCS console, you must have, at minimum, READ authority to the MVS.MCSOPER.console-name profile in the OPERCMDS class.
    Note: If you do not define a profile, the system will grant the authority request.
  • To execute a JES operator command, you must have sufficient authority to access the JES%.** profile in the OPERCMDS class.
    Note: If you do not define a profile, or if the OPERCMDS class is not active, JES will fail the command.
  • You can also require that a user must use Job Monitor to perform the operator command by specifying WHEN(CONSOLE(JMON)) on the PERMIT definition. The CONSOLE class must be active for this setup to work.
    Note: It is sufficient for the CONSOLE to be active. No profiles are checked for EMCS consoles.

Your security software prevents the assumption of the identity of the Job Monitor server by creating a JMON console from a TSO session. Even though the console can be created, the point of entry is different: Job Monitor versus TSO. If your security is set up as documented in this product documentation, JES commands that you issue from this console will fail the security check, unless you are authorized to issue JES commands through other means.

Note: If the console name is already in use, Job Monitor cannot create the console when a command must be executed. To prevent this, you can set the GEN_CONSOLE_NAME=ON directive in the Job Monitor configuration file, or you can define security profiles to stop TSO users from creating a console.

The following sample RACF® commands prevent all unauthorized users from creating a TSO or SDSF console:

  • RDEFINE TSOAUTH CONSOLE UACC(NONE)
  • PERMIT CONSOLE CLASS(TSOAUTH) ACCESS(READ) ID(#userid)
  • RDEFINE SDSF ISFCMD.ODSP.ULOG.* UACC(NONE)
  • PERMIT ISFCMD.ODSP.ULOG.* CLASS(SDSF) ACCESS(READ) ID(#userid)
Note: Users who are not authorized to make these operator commands can still submit jobs and read job output through Job Monitor if they have sufficient authority to access profiles that might protect these resources, like those in the JESINPUT, JESJOBS, and JESSPOOL classes.

Refer to Security Server RACF Security Administrator's Guide (SA22-7683) for more information about operator command protection.


video icon Video

Jazz.net channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community

Jazz.net
Jazz.net forums
Jazz.net library

support icon Support

IBM Support Community
Deployment wiki