Does Top Secret have a way to secure job classes (CLASS= on the job card)? 

z/OS 2.1 introduces a JES2 and JES3 authorization check to verify a user's ability to use a job class.

JES.JOBCLASS.OWNER – Checks if the execution owner has access to the job class.

JES.JOBCLASS.SUBMITTER – Checks if the submitting userid has access to the job class.

The resources are added by defining IBMFAC class JES.JOBCLASS.OWNER and JES.JOBCLASS.SUBMITTER resources and permitting users to the rule. 

The following command defines IBMFAC class JES.JOBCLASS.OWNER and JES.JOBCLASS.SUBMITTER  as a protected resource. The IBMFAC resource class only allows up to 8 characters for ownership.

Example:

TSS ADD(dept) IBMFAC(JES.JOBC) 

NOTE: The IBMFAC resource class only allows up to 8 characters in the TSS ADD command, but the ownerships are generic, so 'JES.JOBC' in the above command includes everything that starts with 'JES.JOBC'.

The following commands allow access to the resources.

Example:

TSS PER(user)   IBMFAC(JES.JOBCLASS.OWNER)

TSS PER(user)  IBMFAC(JES.JOBCLASS.SUBMITTER)

The ACCESS level given to either resource does not matter and is not checked.

If either of these resources exist, users submitting jobs must have READ access to a JESJOBS class resource in the format of JOBCLASS.nodename.classname.jobname.  

Example:

TSS ADD(dept) JESJOBS(JOBCLASS.NODEA) ACC(READ)

TSS PER(ALL)   JESJOBS(JOBCLASS.NODEA.A) ACC(READ)

TSS PER(USER1)  JESJOBS(JOBCLASS.NODEA.B) ACC(READ)

This will allow everyone to submit jobs on NODEA in class A while only USER1 can submit a job in class B.