The table below defines the name of each default resource class used in Enterprise Server for JES security, its meaning, the type of resource entities it contains, and the minimum permission that a user requires on the entities.
JES relation | Entities | ACCESS LEVEL |
---|---|---|
Conditional access support for commands or jobs entered into the system through a JES input device. | INTRDR = Jobs submitted via Internal Reader as a result of executing JCL.
STCINRDR=Jobs submitted via Internal Reader as a result of the execution of a CICS or IMS transaction. TSUINRDR = Jobs submitted via the ESMAC JES "Control" page and/or the cassub command line interface. |
None, Read |
JES relation | Entities | ACCESS LEVEL |
---|---|---|
JES Class for controlling access to job submission by surrogates. If UserA wants to submit a job to run as UserB then he must have "Read" access to the SURROGAT class for entity UserB.SUBMIT |
execution-userid
.SUBMIT
For example, if USERA is USERB's surrogate, Enterprise Server will check that USERA has read access for the entity, USERB.SUBMIT in the SURROGAT class. |
None, Read |
Access rights to files within the dataset are enforced if you have a mainframe dialect Compiler directive set. To ensure that security is also applied if you are not using a mainframe dialect, set the FCDCAT and ASSIGN"EXTERNAL" compiler directives, then ensure files are not assigned dynamically or statically in a SELECT statement.
When a user with alter access to a DATASET class makes changes, before the changes are applied to the physical file, the PHYSFILE class is checked for access rights. Changes are made only if the user has access rights to PHYSFILE.
For example, in ESMAC, user access to PHYSFILE is verified when a user creates a new file, and when the physical file name is changed. Changes are allowed only when the user has access rights to PHYSFILE.
If the PHYSFILE class does not exist, access rights are not verified before the changes to the physical file are made.
Below is an example LDIF definition for PHYSFILE.
######################### # RACF Class = PHYSFILE # ######################### dn:CN=PHYSFILE,CN=Enterprise Server Resources,CN=MicroFocus,CN=RPIS,DC=mftesting,DC=com changetype: add objectClass: top objectClass: container description: JES Class for controlling access to physical files ######################### # physical file MYFILE # ######################### dn:CN=D\3A\\RPIS\\DATA\\MYFILE.DAT,CN=PHYSFILE,CN=Enterprise ServerResources,CN=Micro Focus,CN=RPIS,DC=mftesting,DC=com changetype: add objectClass: microfocus-MFDS-Resource microfocus-MFDS-Resource-Class:PHYSFILE microfocus-MFDS-Resource-ACE: allow:ALLUSER group:update microfocus-MFDS-Resource-ACE: deny:*:execute microfocus-MFDS-UID: mfuid