We would like to know if there is a way to set up users in Ideal to allow the following:
User submits a job with a read only program or submits an update program with UPDATE NO against production ==> the system lets the job run and user can see the output in spool
User submits a job with update YES ==> the system cancels the job ideally saying "you are not authorized."
Component : IDEAL
Unfortunately, Ideal does not grant table-specific levels of access. As a result, there is nothing within Ideal itself to manage these accesses as requested.
One option is to use Read-Only URTs. However, it would be easy to "forget" to use the Read-Only URT and instead use a normal, Read-Write URT. Therefore, I would not recommend this.
If you want to allow read-only access to your application data, you would need to configure Datacom External Security and grant read access to the programmers in your RACF/ACF2/TSS environment. It could be reasonably simple to set up "open" access rules for everyone and then restrict the programmers, or you could set up "closed" access and grant only your production users the full access.
You or your users need to determine if the exposure is great enough here to warrant the extra layer of security. I believe that it would be relatively easy to set up the access level needed for your users by only granting a particular group of users the Read-Write access (called role-based security). Then, as new users come into the group or other users leave the group, they are connected to or removed from the security groups and the MUF security itself is not changed.
As always, please contact Broadcom support for Datacom if you have further questions.