ACF2 JESSPOOL prevent rules access to SDSF/ EJES output not working.
Article ID: 141051
Updated On: 10-06-2023
Products
Issue/Introduction
Client trying to prevent access for a user to view job output in SDSF / EJES. Specific PREVENT rules limit access by UID however user can still view job output.
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
If a user has access to the resource class SDSF resources ISFOPER.DEST.JES2 and ISFAUTH.DEST.LOCAL.DATASET.********, SDSF will specify the RECVR parameter in the RACROUTE JESSPOOL call which will override JESSPOOL rules(that might prevent access to JESSPOOL print jobs) if the RECVR parameter matches the logonid accessing the JES2 datasets.
To address the issue insure that the logonid trying to access the JES2 output from SDSF does not have access to resource class SDSF resource ISFOPER.DEST.JES2. For example, to add a resource rule entry to an existing ISFOPER rule the following RECKEY command can be issued from TSO, ACF:
ACF
SET RESOURCE(SDF)
RECKEY ISFOPER ADD(DEST.JES2 UID(uid string for logonid ABC) PREVENT)
where 'uid string for logonid ABC' is the ACF2 UID string for the logonid accessing the JES2 output.
SDF is the TYPE code specified for Resource Class SDSF.
ACF
SET RESOURCE(SDF)
RECKEY ISFAUTH ADD(DEST.LOCAL.DATASET.- UID(uid string for logonid ABC) PREVENT)
where 'uid string for logonid ABC' is the ACF2 UID string for the logonid accessing the JES2 output.
SDF is the TYPE code specified for Resource Class SDSF.
NOTE 1: (Optional) Change the default SAF type code by inserting a new GSO CLASMAP record for the SDSF class and specify the desired three-character type code. Specify the following commands if you want the type code to be SDF before defining the rule or updating the INFODIR record:
F ACF2,REFRESH(CLASMAP)
Feedback
