Can a SHIFT be assigned to the JCL privilege in ACF2 to restrict when a user can submit a job from TSO?

book

Article ID: 197756

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Is it possible to restrict the day/time a user can submit jobs but still be allowed to logon and perform other tasks in tso without shift restrictions?

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

TSO Logon can be controlled by the shift record,
Access to datasets can be controlled by the shift records,
Access to resources can be controlled by the shift records.

But use of a particular attribute cannot be controlled by the shift records.

However because resource access can be controlled by SHIFT records, you could write
a resource rule for the JESJOBS resource and give permission to a logonid during a particular shift.

The resource name that controls job submission in the JESJOBS resource class is
SUBMIT.nodename.jobname.userid
therefore you could write a rule like this.

$KEY(SUBMIT) TYPE(SAF)
nodename.jobname.userid uid() SHIFT(allowed) ALLOW

where a shift named "allowed" lets the user have access to the resource at the times/days referenced in the shift record.
Thereby allowing job submission during these times.

At all other times the user cannot submit any jobs - note that masking the resource name for a submit could mean
that ALL submits that the user issues will be controlled by the shift record.

$KEY(SUBMIT) TYPE(SAF)
- uid() SHIFT(allowed) ALLOW


Please review the following documentation in techdocs at the section entitled JESJOBS for details.

Additional Information

Please review the following documentation in techdocs at the section entitled JESJOBS for details.