What ACF2 rule can be used to secure the use of the SDSF INPUT (on/off) command used when viewing a job?

Users that need access to the INPUT command need READ access to ISFCMD.FILTER.INPUT in the SDSF resource class.

Example rule:

$KEY(ISFCMD) TYPE(SDF)
 FILTER.INPUT UID(users_uid) SERVICE(READ) ALLOW

Example RECKEY command:

SET R(SDF)
RECKEY ISFCMD ADD( FILTER.INPUT UID(users_uid) SERVICE(READ) ALLOW)

Issue F ACF2,REBUILD(SDF) on all systems that share the ACF2 database for the rule change to take effect.

Additional SAF resource names and access levels for SDSF commands can be found in IBM documentation here: ISFPARMS vs RACF profiles