To protect JESNEWS for JES2, perform the following steps:
- Ask the JES2 system programmer for the following information:
- The fully qualified name of each JESNEWS file to be protected
- The universal access authority to be associated with each JESNEWS
file. For JESNEWS, this value should always be READ to allow all JES
users to receive JESNEWS.
- The user IDs or group names of operators and users that
are to be authorized to update JESNEWS. Assign each of these users
or groups an access authority of UPDATE to the appropriate profile
in the OPERCMDS class. Ensure that all users and operators are defined
to RACF®.
- The security label to be associated with each JESNEWS file (if
security labels are being used). For JESNEWS, this value should always
be the lowest security label (SYSLOW) to allow JESNEWS to be printed
for all users.
- Create the following profiles:
RDEFINE JESSPOOL nodename.userid.$JESNEWS.STCtaskid.Dnewslvl.JESNEWS
UACC(READ)
where:
- nodename
- is the name of the node that created the JESNEWS data set.
- userid
- is the user ID associated with your JES2 system.
- STCtaskid
- is the name of the task that created the JESNEWS data set.
- Dnewslvl
- is the level of this copy of JESNEWS.
For example, for JESNEWS on NODEB:
RDEFINE JESSPOOL NODEB.*.$JESNEWS.*.*.JESNEWS UACC(READ)
Note: - This example assumes that a SETROPTS GENERIC(JESSPOOL) was previously
issued to turn generics on for this class and that a SETROPTS REFRESH
was then done.
- To improve system performance, you should consider including
an entry for JESNEWS in the global access checking table. For example:
NODEB.*.$JESNEWS.*.*.JESNEWS/READ
- To prevent unauthorized updating of JESNEWS, define a profile
in the OPERCMDS class. Any users authorized to update JESNEWS must
have ALTER access to this resource:
RDEFINE OPERCMDS jesname.UPDATE.JESNEWS UACC(NONE)
PERMIT jesname.UPDATE.JESNEWS CLASS(OPERCMDS) ID(user or group) ACCESS(ALTER)
If RACF is not active, JES2 requests
authorization to update JESNEWS from the operator.
Note: If RACF and the SECLABEL class are
active, RACF assigns the SECLABEL of the
last job that updated JESNEWS to the JESNEWS profile. This could cause
jobs with lower security labels than the updating job to miss important
information and RACF records
security violations for jobs accessing JESNEWS that did not previously
occur. To make JESNEWS accessible to all users, the job that creates
it should have a SECLABEL of SYSLOW and the data set profile should
have a UACC of READ. If the SECLABEL is greater than SYSLOW, JESNEWS
does not print in the output of any jobs submitted with a lower SECLABEL.