ACF2 JESSPOOL prevent rules access to SDSF output not working.

book

Article ID: 141051

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

Client trying to prevent access for a user to view job output in SDSF.  Specific PREVENT rules limit access by UID however user can still view job output. 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

If a user has access to the resource class SDSF resource ISFOPER.DEST.JES2 along with access to resource class SDSF resources ISFAUTH.DEST.LOCAL.DATASET.******** SDSF will specify the RECVR parameter in the RACROUTE JESSPOOL call which will override JESSPOOL rules that would prevent access to JESSPOOL print jobs if the RECVR parameter matches the logonid accessing the JES2 datasets.

To address the issue insure that the logonid trying to access the JES2 output from SDSF does not have access to resource class SDSF resource ISFOPER.DEST.JES2. For example, to add a resource rule entry to an existing ISFOPER rule the following RECKEY command can be issued from TSO, ACF:

ACF
SET RESOURCE(SDF)
RECKEY ISFOPER ADD(DEST.JES2 UID(uid string for logonid ABC) PREVENT)

where 'uid string for logonid ABC' is the ACF2 UID string for the logonid accessing the JES2 output.
           SDF is the TYPE code specified for Resource Class JESSPOOL(default is SAF see note 1)

NOTE 1: (Optional) Change the default SAF type code by inserting a new GSO CLASMAP record for the SDSF class and specify the desired three-character type code. Specify the following commands if you want the type code to be SDF before defining the rule or updating the INFODIR record:

ACF
SET CONTROL(GSO)
INSERT CLASMAP.SDSF RESOURCE(SDSF) RSRCTYPE(SDF)
F ACF2,REFRESH(CLASMAP)