Can a SHIFT be assigned to the JCL privilege in ACF2 to restrict when a user can submit a job from TSO?

book

Article ID: 197756

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA LDAP Server for z/OS CA PAM Client for Linux for zSeries CA Web Administrator for Top Secret

Issue/Introduction

Is it possible to restrict the day/time a user can submit jobs but still be allowed to logon and perform other tasks in tso without shift restrictions?

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

TSO Logon can be controlled by the shift record,
Access to datasets can be controlled by the shift records,
Access to resources can be controlled by the shift records.

But use of a particular attribute cannot be controlled by the shift records.

However because resource access can be controlled by SHIFT records, you could write
a resource rule for the JESJOBS resource and give permission to a logonid during a particular shift.

The resource name that controls job submission in the JESJOBS resource class is
SUBMIT.nodename.jobname.userid
therefore you could write a rule like this.

$KEY(SUBMIT) TYPE(SAF)
nodename.jobname.userid uid() SHIFT(allowed) ALLOW

where a shift named "allowed" lets the user have access to the resource at the times/days referenced in the shift record.
Thereby allowing job submission during these times.

At all other times the user cannot submit any jobs - note that masking the resource name for a submit could mean
that ALL submits that the user issues will be controlled by the shift record.

$KEY(SUBMIT) TYPE(SAF)
- uid() SHIFT(allowed) ALLOW


Please review the following documentation in techdocs at the section entitled JESJOBS for details.

Additional Information

Please review the following documentation in techdocs at the section entitled JESJOBS for details.