Top Secret users are able to cancel production jobs, including, but not limited to:

  - CICS regions started as batch jobs
  - Other TSO users
  - Batch jobs where the user is not the owner of the job.

The jobs are cancelled by putting a C next to the job in SDSF which generates a $C J command to do the cancel. 

How do you lock this down but still allow the user to cancel the user's own jobs?

The following in SYS1.PARMLIB(ISFPRM00)' causes any SAF security calls with RC=4 to have full access.

/*********************************/                                             
/*  SERVER CONNECTION STATEMENT  */                                             
/*********************************/                                             
CONNECT AUXSAF(NOFAILRC4)                                                      
                               
If this is specified, own SDSF(ISFOPER.) in a DEPT and permit the following to cause a JESSPOOL security call.

TSS PERM(ALL) SDSF(ISFOPER.ANYDEST.) ACCESS(READ) 
 
This permit allows users to view all job output, but when attempting to purge a job NOT owned by the user's acid, the user fails with TSS7250E for TYPE=JESSPOOL.