Define JES command security

Use various RACF® commands to limit user access to JES commands in Job Monitor.

Job Monitor issues all JES operator commands through an extended MCS (EMCS) console, whose name is controlled with the CONSOLE_NAME directive, as documented in Job Monitor configuration file BLZJCNFG.

The following sample RACF commands give Job Monitor users conditional access to a limited set of JES commands: Hold, Release, Cancel, and Purge. Users have only execution permission if they issue the commands through Job Monitor. Replace the #console placeholder with the actual console name.
  • RDEFINE OPERCMDS MVS.MCSOPER.#console UACC(READ) 
    DATA('EWM'))
  • RDEFINE OPERCMDS JES%.** UACC(NONE) 
  • PERMIT JES%.** CLASS(OPERCMDS) ACCESS(UPDATE) 
    WHEN(CONSOLE(JMON)) ID(*)
  • SETROPTS RACLIST(OPERCMDS) REFRESH
Notes:
  1. Usage of the console is permitted if no MVS.MCSOPER.#console profile is defined.
  2. The CONSOLE class must be active for WHEN(CONSOLE(JMON)) to work, but there is no actual profile check in the CONSOLE class for EMCS consoles.
  3. Do not replace JMON with the actual console name in the WHEN(CONSOLE(JMON)) clause. The JMON keyword represents the point-of-entry application, not the console name.
Attention: If you define JES commands with universal access NONE in your security software, you might impact other applications and operations. Test this before you activate it on a production system.

Table 1 and Table 2 show the operator commands issued for JES2 and JES3, and the discrete security profiles that you can use to protect them.

Table 1. JES2 Job Monitor operator commands
Action Command OPERCMDS profile Required access
Hold

$Hx(jobid)
with x = {J, S or T}

jesname.MODIFYHOLD.BAT
jesname.MODIFYHOLD.STC
jesname.MODIFYHOLD.TSU
UPDATE
Release

$Ax(jobid)
with x = {J, S or T}

jesname.MODIFYRELEASE.BAT
jesname.MODIFYRELEASE.STC
jesname.MODIFYRELEASE.TSU
UPDATE
Cancel

$Cx(jobid)
with x = {J, S or T}

jesname.CANCEL.BAT
jesname.CANCEL.STC
jesname.CANCEL.TSU
UPDATE
Purge

$Cx(jobid),P
with x = {J, S or T}

jesname.CANCEL.BAT
jesname.CANCEL.STC
jesname.CANCEL.TSU
UPDATE
Table 2. JES3 Job Monitor operator commands
Action Command OPERCMDS profile Required access
Hold *F,J=jobid,H jesname.MODIFY.JOB UPDATE
Release *F,J=jobid,R jesname.MODIFY.JOB UPDATE
Cancel *F,J=jobid,C jesname.MODIFY.JOB UPDATE
Purge *F,J=jobid,C jesname.MODIFY.JOB UPDATE
Notes:
  1. The Hold, Release, Cancel, and Purge JES operator commands, and the Show JCL command, can be performed only against spool files that the user ID owns, unless LIMIT_COMMANDS= with value LIMITED or NOLIMIT is specified in the Job Monitor configuration file. Refer to Actions against jobs: target limitations for more information.
  2. You can browse any spool file, unless LIMIT_VIEW=USERID is defined in the Job Monitor configuration file. Refer to Access to spool files for more information.
  3. User who are not authorized for these operator commands can still submit jobs and read job output through Job Monitor, provided that they have sufficient authority to profiles that might protect these resources, like those in the JESINPUT, JESJOBS and JESSPOOL classes.

Your security software prevents the assumption of the identity of the Job Monitor server by creating a JMON console from a TSO session. Even though the console can be created, the point of entry is different: Job Monitor versus TSO. JES commands issued from this console will fail the security check if your security is set up as documented in this product documentation, and if you do not have authority to the JES commands through other means.


video icon Video

Jazz.net channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community

Jazz.net
Jazz.net forums
Jazz.net library

support icon Support

IBM Support Community
Deployment wiki