Users can specify FILE=JES with an FTP PUT statement allowing this into the system in batch. This needs to be restricted so users cannot do that without permission. How can this be done?
JES under z/OS will make a SAF call under the class of JESJOBS when batch jobs enter the reader. This is done for all batch jobs, not just FTP. By default, CA ACF2 will ignore these SAF calls due to an internal SAFDEF record. From a SHOW SAFDEF command, this is the SAFDEF record:
JESJOBS JOBNAME=******** USERID=******** PROGRAM=******** RB=********
RETCODE=4 SAFDEF=INTERNAL MODE=IGNORE SUBSYS=ACF2
To prevent these jobs from being run, you must define your own SAFDEF record to have CA ACF2 validate the entities when the class is JESJOBS. The problem is that there is nothing unique in the SAF call to indicate the job came from FTP so it is not possible to define a SAFDEF that would be limited to jobs being submitted from FTP. All submissions, including those from TSO, etc, would be validated. The ENTITYX for these JESJOBS validations is formatted as SUBMIT.node.jobname.userid. By default, CLASMAP points JESJOBS to type SAF. Standard ACF2 resource rule writing applies. A sample rule would look like this:
node.jobname.userid UID(uid string) ALLOW
If you want to use a different type code, you will need to insert a CLASMAP record. A sample would look like this:
INSERT CLASMAP.JJOBS RESOURCE(JESJOBS)
After the rules are in place, override the SAFDEF record. Here is a sample:
INSERT SAFDEF.JJOBS ID(JJOBS) RACROUTE(REQUEST=AUTH,CLASS=JESJOBS)
and then refresh the GSO records just inserted.
Other validations that happen under JESJOBS are the following:
With z/OS 2.1, IBM added controls in JESJOBS to protect the JOBCLASS also. See the current CA ACF2 Administrators Guide, section titled "JESJOBS Controlling Access to JOBCLASS" for more information.