z/OS 2.1 JES2/JES3: SAF Check for Job Input Class

book

Article ID: 28806

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP

Issue/Introduction

 

z/OS 2.1 introduces a JES2 and JES3 authorization check to verify a user's ability to use a job class.

JES.JOBCLASS.OWNER – Checks if the execution owner has access to the job class.

JES.JOBCLASS.SUBMITTER – Checks if the submitting userid has access to the job class.

The resources are added by defining IBMFAC class JES.JOBCLASS.OWNER and JES.JOBCLASS.SUBMITTER resources and permitting users to the rule. 

The following command defines IBMFAC class JES.JOBCLASS.OWNER and JES.JOBCLASS.SUBMITTER  as a protected resource. The IBMFAC resource class only allows up to 8 characters for ownership.

Example:

TSS ADD(dept) IBMFAC(JES.JOBC) 

NOTE: The IBMFAC resource class only allows up to 8 characters in the TSS ADD command, but the ownerships are generic, so 'JES.JOBC' in the above command includes everything that starts with 'JES.JOBC'.

The following commands allow access to the resources.

Example:

TSS PER(user)   IBMFAC(JES.JOBCLASS.OWNER)

TSS PER(user)  IBMFAC(JES.JOBCLASS.SUBMITTER)

The ACCESS level given to either resource does not matter and is not checked.

If either of these resources exist, users submitting jobs must have READ access to a JESJOBS class resource in the format of JOBCLASS.nodename.classname.jobname.  

Example:

TSS ADD(dept) JESJOBS(JOBCLASS.NODEA) ACC(READ)

TSS PER(ALL)   JESJOBS(JOBCLASS.NODEA.A) ACC(READ)

TSS PER(USER1)  JESJOBS(JOBCLASS.NODEA.B) ACC(READ)

This will allow everyone to submit jobs on NODEA in class A while only USER1 can submit a job in class B.  



Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

Please Update This Required Field