How do you protect instream operator commands in JES2?  In JCL, you can enter operator commands after the // and a space like this:

// D A,L

// COMMAND 'D A,L'

// F STC,CLOSE

The JES2 address space submits the command, but on behalf of the user.  The actual ACEE that is passed is the user, and that is the id that will be validated.  Running a SECTRACE with FORMAT=DUMP show that:

CAS21D0I TRACEID: TEST      EVENT#:  0000nnnn                            

CAS21D0I JOBNAME: JES2     USERID:  JES2     ASID: 00nn                

CAS21D1I PROGRAM: xxxxxx  RB CURR: SVC0nn   APF:  YES  SFR/RFR: N/A    

CAS2200I RACROUTE REQUEST=AUTH,REQSTOR=(=>)'yyyyyyy',                  

CAS2200I          SUBSYS=(=>)'CONSOLE',CLASS=(=>)'OPERCMDS',RELEASE=1.9,

CAS2200I          STATUS=NONE,ACEE=(STRUCTURE,=>,7F25F058),ATTR=READ,   

CAS2200I          DSTYPE=(DEFAULT)N,DECOUPL=YES,                        

CAS2200I          ENTITY=((=>)'MVS.DISPLAY.JOB'),FILESEQ=0,GENERIC=ASIS,

CAS2200I          LOG=ASIS,LOGSTR=(=>)'D A,L',MSGRTRN=YES,MSGSP=1,      

CAS2200I          MSGSUPP=YES,TAPELBL=STD,                               

CAS2200I          WORKA=(STRUCTURE SAFWORKA,=>,7F39E9B8)                

CAS2203I ACEE     DATA AREA FOLLOWS                                     

CAS2204I 7F25F058 +000  C1C3C5C5 FF000258 03000000 7F273188  *ACEE......

.."..h*                                                                 

CAS2204I 7F25F068 +010  00000000 07E3C5E2 E3C9C440 4007D2E6  *.....TESTI

D  .KW*            

So normal operator command rules would apply.  See the ACF2 Administrator Guide for more information on protecting Operator Commands.