Is there a way to secure the job class in which batch jobs run?

Release: TOPSEC00200-16-Top Secret-Security
Component:

In z/OS 2.1, one of the new features is the ability to use 8 character jobclasses in JES2. As part of that is also a new feature to do job class validation.

According to the IBM documentation, it will first check to see if one of two new FACILITY classes are enabled, JES.JOBCLASS.OWNER or JES.JOBCLASS.SUBMITTER (or both). If one or both of these are defined, then a SAF call for JESJOBS is done for:

JOBCLASS.jesnode.jobclass.job .

In z/OS 2.1, JES2 and JES3 have new SAF calls to control the use of specific job classes. In CA Top Secret, these SAF calls are triggered when users are permitted to either of the following IBMFAC class resources:

JES.JOBCLASS.OWNER
Checks whether the execution owner has access to the job class.

JES.JOBCLASS.SUBMITTER
Checks whether the submitting user ID has access to the job class.

When users are permitted to these resources JES2/JES3 will issue resource checks for new JESJOBS resources. The new JESJOBS resources have the format (JOBCLASS.node.class.jobname).

When implementing these controls, it is recommended that the JESJOBS resources be permitted before activating the controls with permits to the IBMFAC resources.

For example, to restrict USER1 to only submit jobs for class B while allowing all other users to submit jobs in any class on node N67, use the following commands:

TSS ADD(dept) IBMFAC(JES.JOBC)
TSS ADD(dept) JESJOBS(JOBCLASS.N67)
TSS PER(USER1) JESJOBS(JOBCLASS.N67.B)
TSS PER(USER1) IBMFAC(JES.JOBCLASS.OWNER)
TSS PER(USER1) IBMFAC(JES.JOBCLASS.SUBMITTER)

NOTE: The IBMFAC resource class only allows up to 8 characters in the TSS ADD command, but the ownerships are generic, so 'JES.JOBC' in the above command includes everything that starts with 'JES.JOBC'.