Upgrade to zOS v2.4, getting violations to SERVAUTH RSER-EZB.sysname.daemon.ACCESS.JES
search cancel

Upgrade to zOS v2.4, getting violations to SERVAUTH RSER-EZB.sysname.daemon.ACCESS.JES


Article ID: 251650


Updated On:


ACF2 - z/OS


When connecting to the  FTP server, users are no longer able to use FILETYPE=JES to transfer to the JES queue. ACF2 violations occur for RSER-EZB.sysname.daemon.ACCESS.JES.  

Is the requirement for a security rule new with z/OS 2.4? 


Release : 16.0

Component : ACF2 for z/OS


The SERVAUTH resource class for resource EZB.FTP.sysname.ftpdaemonname.ACCESS.JES is a resource validation call that FTP to control access to FTP JES mode. z/OS 2.5 and z/OS V2R4 Communications Server, with APAR PH42618, supports 
this new SAF resource in the SERVAUTH class to control which users are allowed to access FTP JES mode. 

The IBM documentation recommends the following for this resource validation for FTP JES:

"If you do not control access to this resource, then all users can use FTP JES mode. While in JES mode a user can submit a job, display job output, and delete job output. You are strongly encouraged to define a profile to control access to the EZB.FTP.sysname.ftpdaemonname.ACCESS.JES resource and grant read access only to users with a legitimate need to use JES mode."

To code an ACF2 resource rule for this EZB resource, sites can run the ACFRPTRV report to obtain the details on the violation, such as access SERVice(Read,Add,Update,Delete or Execute) and UID string. Here is a sample rule:

RECKEY EZB ADD( sysname.daemon.ACCESS.JES UID(uuuuuuuuuuuu) SERVICE(xxxxxx) ALLOW)

where uuuuuuuuuuuu is the UID string and xxxxxxx is the SERV from the ACFRPTRV report.