z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Protecting JESNEWS for JES2

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

To protect JESNEWS for JES2, perform the following steps:
  1. Ask the JES2 system programmer for the following information:
    • The fully qualified name of each JESNEWS file to be protected
    • The universal access authority to be associated with each JESNEWS file. For JESNEWS, this value should always be READ to allow all JES users to receive JESNEWS.
    • The user IDs or group names of operators and users that are to be authorized to update JESNEWS. Assign each of these users or groups an access authority of UPDATE to the appropriate profile in the OPERCMDS class. Ensure that all users and operators are defined to RACF®.
    • The security label to be associated with each JESNEWS file (if security labels are being used). For JESNEWS, this value should always be the lowest security label (SYSLOW) to allow JESNEWS to be printed for all users.
  2. Create the following profiles: 
    RDEFINE JESSPOOL nodename.userid.$JESNEWS.STCtaskid.Dnewslvl.JESNEWS
        UACC(READ)
    where:
    nodename
    is the name of the node that created the JESNEWS data set.
    userid
    is the user ID associated with your JES2 system.
    STCtaskid
    is the name of the task that created the JESNEWS data set.
    Dnewslvl
    is the level of this copy of JESNEWS.
    For example, for JESNEWS on NODEB: 
    RDEFINE JESSPOOL NODEB.*.$JESNEWS.*.*.JESNEWS UACC(READ)
    Note:
    1. This example assumes that a SETROPTS GENERIC(JESSPOOL) was previously issued to turn generics on for this class and that a SETROPTS REFRESH was then done.
    2. To improve system performance, you should consider including an entry for JESNEWS in the global access checking table. For example: 
      NODEB.*.$JESNEWS.*.*.JESNEWS/READ
  3. To prevent unauthorized updating of JESNEWS, define a profile in the OPERCMDS class. Any users authorized to update JESNEWS must have ALTER access to this resource: 
    RDEFINE OPERCMDS jesname.UPDATE.JESNEWS UACC(NONE)
PERMIT  jesname.UPDATE.JESNEWS CLASS(OPERCMDS) ID(user or group) ACCESS(ALTER)

    If RACF is not active, JES2 requests authorization to update JESNEWS from the operator.

    Note: If RACF and the SECLABEL class are active, RACF assigns the SECLABEL of the last job that updated JESNEWS to the JESNEWS profile. This could cause jobs with lower security labels than the updating job to miss important information and RACF records security violations for jobs accessing JESNEWS that did not previously occur. To make JESNEWS accessible to all users, the job that creates it should have a SECLABEL of SYSLOW and the data set profile should have a UACC of READ. If the SECLABEL is greater than SYSLOW, JESNEWS does not print in the output of any jobs submitted with a lower SECLABEL.
Parent topic: Protecting JESNEWS

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014