Previous Topic Next topic Print topic

Resource Classes for JES Security

The table below defines the name of each default resource class used in Enterprise Server for JES security, its meaning, the type of resource entities it contains, and the minimum permission that a user requires on the entities.

JES Class name

JES relation

Entities

ACCESS LEVEL

DATASET

Dataset Names

Files

None, Read, Update, Alter

JESINPUT

Conditional access support for commands or jobs entered into the system through a JES input device.  INTRDR = Jobs submitted via Internal Reader as a result of executing JCL.   STCINRDR=Jobs submitted via Internal Reader as a result of the execution of a CICS or IMS transaction.  TSUINRDR = Jobs submitted via the ESMAC JES "Control" page and/or the cassub command line interface.

INTRDR, STCINRDR, TSUINRDR

None, Read

JESJOBS

Controlling the submission and cancellation of jobs by job name.

CANCEL.nodename.userid.jobname    (for job cancellation authority)

SUBMIT.nodename.jobname.userid  (for job submissions)

where nodename is the name of the enterprise server.

Note: Note:

These rules are not typically used, but they do provide granularity of control for those environments with special requirements.

NONE

Allows no access.

READ

Allows user to submit jobs

UPDATE

Equivalent to READ.

CONTROL

Equivalent to UPDATE.

ALTER

Allows jobs to be cancelled

JESSPOOL

Controlling access to job data sets on the JES spool (Joblog, SYSOUT and Messages.

localnodeid.userid.jobname.jobid.dsnumber.name

where

  • localnodeid is the name of the enterprise server
  • dsnumber is the relative dataset number for the job e.g. 001
  • name is the dd name
Note:

These rules are not typically used, but they do provide granularity of control for those environments with special requirements.

NONE

Allows no access.

READ

Allows user to view the spool data set, but not change its attributes. For example, this does not allow the following keywords on the OUTPUT command: NOKEEP, NOHOLD, DELETE, NEWCLASS, and DEST.

UPDATE

Allows to update a spool data set.

CONTROL

Equivalent to UPDATE.

ALTER

Allows any operand specified on the TSO OUTPUT command, including deleting and printing. Also, when specified for a discrete profile, allows the user to change the profile itself.

SURROGAT

JES Class for controlling access to job submission by surrogates.  If UserA wants to submit a job to run as UserB then he must have "Read" access to the SURROGAT class for entity UserB.SUBMIT

execution-userid .SUBMIT

For example, if USERA as USERB's surrogate, Enterprise Server will check that USERA has read access for the entity, USERB.SUBMIT in the SURROGAT class.

None, Read

Parent topic: Resource Classes used by Enterprise Server
Previous Topic Next topic Print topic