Previous Topic Next topic Print topic


Resource Classes for JES Security

The table below defines the name of each default resource class used in Enterprise Server for JES security, its meaning, the type of resource entities it contains, and the minimum permission that a user requires on the entities.

DATASET
JES relation Entities ACCESS LEVEL
Dataset Names Files None, Read, Update, Alter
JESINPUT
JES relation Entities ACCESS LEVEL
Conditional access support for commands or jobs entered into the system through a JES input device.  INTRDR = Jobs submitted via Internal Reader as a result of executing JCL.

STCINRDR=Jobs submitted via Internal Reader as a result of the execution of a CICS or IMS transaction.

TSUINRDR = Jobs submitted via the ESMAC JES "Control" page and/or the cassub command line interface.

None, Read
JESJOBS
JES relation Entities ACCESS LEVEL
Controlling the submission and cancellation of jobs by job name.
CANCEL
nodename.userid.jobname    (for job cancellation authority)
SUBMIT
nodename.jobname.userid  (for job submissions)
where nodename is the name of the enterprise server.

These rules are not typically used, but they do provide granularity of control for those environments with special requirements.

NONE
Allows no access.
READ
Allows user to submit jobs
UPDATE
Equivalent to READ.
CONTROL
Equivalent to UPDATE.
ALTER
Allows jobs to be cancelled .
JESSPOOL
JES relation Entities ACCESS LEVEL
Controlling access to job data sets on the JES spool (Joblog, SYSOUT and Messages. localnodeid.userid.jobname.jobid.dsnumber.name

where

localnodeid
the name of the enterprise server
dsnumber
the relative dataset number for the job e.g. 001
name
the dd name

These rules are not typically used, but they do provide granularity of control for those environments with special requirements.

NONE
Allows no access.
READ
Allows user to view the spool data set, but not change its attributes. For example, this does not allow the following keywords on the OUTPUT command: NOKEEP, NOHOLD, DELETE, NEWCLASS, and DEST.
UPDATE
Allows to update a spool data set.
CONTROL
Equivalent to UPDATE.
ALTER
Allows any operand specified on the TSO OUTPUT command, including deleting and printing. Also, when specified for a discrete profile, allows the user to change the profile itself.
PHYSFILE
JES relation Entities ACCESS LEVEL
Controls access to the physical file when changes to the dataset are made.

See the usage notes at the end of this table.

Physical files None, Alter
SURROGAT
JES relation Entities ACCESS LEVEL
JES Class for controlling access to job submission by surrogates.  If UserA wants to submit a job to run as UserB then he must have "Read" access to the SURROGAT class for entity UserB.SUBMIT execution-userid .SUBMIT

For example, if USERA is USERB's surrogate, Enterprise Server will check that USERA has read access for the entity, USERB.SUBMIT in the SURROGAT class.

None, Read

DATASET usage notes

Access rights to files within the dataset are enforced if you have a mainframe dialect Compiler directive set. To ensure that security is also applied if you are not using a mainframe dialect, set the FCDCAT and ASSIGN"EXTERNAL" compiler directives, then ensure files are not assigned dynamically or statically in a SELECT statement.

PHYSFILE usage notes

When a user with alter access to a DATASET class makes changes, before the changes are applied to the physical file, the PHYSFILE class is checked for access rights. Changes are made only if the user has access rights to PHYSFILE.

For example, in ESMAC, user access to PHYSFILE is verified when a user creates a new file, and when the physical file name is changed. Changes are allowed only when the user has access rights to PHYSFILE.

If the PHYSFILE class does not exist, access rights are not verified before the changes to the physical file are made.

Below is an example LDIF definition for PHYSFILE.

######################### 
# RACF Class = PHYSFILE # 
#########################
dn:CN=PHYSFILE,CN=Enterprise Server Resources,CN=MicroFocus,CN=RPIS,DC=mftesting,DC=com 
changetype: add
objectClass: top
objectClass: container 
description: JES Class for controlling access to physical files

######################### 
# physical file MYFILE #
######################### 
dn:CN=D\3A\\RPIS\\DATA\\MYFILE.DAT,CN=PHYSFILE,CN=Enterprise ServerResources,CN=Micro Focus,CN=RPIS,DC=mftesting,DC=com changetype: add
objectClass: microfocus-MFDS-Resource 
microfocus-MFDS-Resource-Class:PHYSFILE 
microfocus-MFDS-Resource-ACE: allow:ALLUSER group:update
microfocus-MFDS-Resource-ACE: deny:*:execute 
microfocus-MFDS-UID: mfuid
Previous Topic Next topic Print topic