In order to disable the JCL Submit button in ESMAC for a group of users, but still allow them to submit JCL using the cassub command line utility, the LDAP security repository requires a read access rule for the "CN=cassub,CN=OPERCMDS,CN=Enterprise Server Resources" resource class authorization.
dn: CN=cassub,CN=OPERCMDS,CN=Enterprise Server Resources microfocus-MFDS-Resource-ACE: allow:<group-name> group:read
<group-name> must be followed by a space and the word “group” for group access authority.