How can I secure who can submit a batch job where the jobname starts with the letter P*?
search cancel

How can I secure who can submit a batch job where the jobname starts with the letter P*?

book

Article ID: 14303

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction



How can I secure who can submit a batch job where the jobname starts with the letter P*?

Environment

Release:
Component: ACF2MS

Resolution

Beyond the standard CA ACF2 JES security interface, there are other security 
calls that you can enable. These security calls are made using the System 
Authorization Facility (SAF).
 
JESJOBS validation controls both job submit and job cancel activity. The 
resource name format is:
 
SUBMIT.nodename.jobname.userid 
CANCEL.nodename.userid.jobname
 
To validate the JESJOBS Resource Class validations an ACF2 GSO SAFDEF, CLASMAP
and resource rule can be implemented.
 
  1. The default resource type for JESJOBS is SAF. If you want to use a different type 
    code, insert a GSO CLASMAP record as follows:

    ACF
    SET CONTROL(GSO)
    INSERT CLASMAP.jjobs RESOURCE(JESJOBS) RSRCTYPE(job)
    F ACF2,REFRESH(CLASMAP)

    Where job is the type code you select.

  2. Write resource rules for JESJOBS SUBMIT resource SUBMIT.nodename.jobname.userid

    ACF
    SET RESOURCE(job)
    RECKEY SUBMIT ADD( -.P- UID( user001 ) PREVENT
    RECKEY SUBMIT ADD( - UID(*) ALLOW)

    The above RECKEY commands will create the following resource rule that allows
    all logonids to submit any job and prevent logonid USER001 from submitting any
    Jobname that starts with P.

    $KEY(SUBMIT) TYPE(JOB) 
     -.P- UID( USER001 ) PREVENT
     - UID(*) ALLOW 

  3. Insert a GSO SAFDEF record to enable the SAF calls:

    ACF
    SET CONTROL(GSO)
    INSERT SAFDEF.jjobs ID(jjobs) RACROUTE(REQUEST=AUTH,CLASS=JESJOBS)
    F ACF2,REFRESH(SAFDEF)
Details can be found in section: "Security Classes" sub-section "JESJOBS"