z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Letting users create their own JESSPOOL profiles

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Users can create their own JESSPOOL profiles if they have CLAUTH authority to the JESSPOOL class. If your installation decides to put the SETROPTS GENERICOWNER option into effect, you can restrict each user to creating JESSPOOL profiles only for his or her own spool data.

To do this, perform the following steps:
  1. Issue this command: 
    SETROPTS GENERICOWNER
  2. To prevent all users except the system administrator from being able to create JESSPOOL profiles, issue either of the following commands: 
    RDEFINE JESSPOOL ** OWNER(sys_admin_id) UACC(NONE)
RDEFINE JESSPOOL *  OWNER(sys_admin_id) UACC(NONE)
  3. For each user who should be able to create JESSPOOL profiles for his or her own spool data, create a JESSPOOL profile with the user's user ID specified. Make the user the owner of the profile. For example, for users SMITH and BEN: 
    RDEFINE JESSPOOL nodename.SMITH.** OWNER(SMITH) UACC(NONE)
RDEFINE JESSPOOL nodename.BEN.**   OWNER(BEN)   UACC(NONE)
    Note: These examples assume that a SETROPTS GENERIC(JESSPOOL) was previously issued to turn generics on for this class and that a SETROPTS REFRESH was then done.
  4. Give users CLAUTH authority to the JESSPOOL class: 
    ALTUSER SMITH CLAUTH(JESSPOOL)
ALTUSER BEN   CLAUTH(JESSPOOL)
  5. Users with CLAUTH authority can define their own JESSPOOL profiles:
    RDEFINE JESSPOOL profile-name OWNER(SMITH) UACC(NONE)
RDEFINE JESSPOOL profile-name OWNER(BEN)   UACC(NONE)
    where profile-name is more specific than the JESSPOOL profile name you defined for this user in Step 3.
  6. After defining their own JESSPOOL profiles, the users with CLAUTH can use the following PERMIT command to grant other users access to the spool data sets protected by that profile: 
    PERMIT profile-name CLASS(JESSPOOL)
       ID(userid|groupname)
       ACCESS(access-authority)
    where access-authority is one of the following:
    NONE
    Gives the user no access.
    READ
    Lets the user view the spool data set, but does not let the user change the data set's contents or attributes. For example, READ does not allow the following operands on the TSO OUTPUT command: DELETE, DEST, NEWCLASS, NOHOLD, and NOKEEP.
    UPDATE
    Lets the user read or update the contents of a spool data set. UPDATE does not allow the user to change the data set's attributes. UPDATE also allows users to update spool data sets opened by an application in the same address space.
    CONTROL
    Is equivalent to UPDATE.
    ALTER
    Lets the user read or update a spool data set or change the attribute of a spool data set. For example, ALTER allows any operand to be specified on the TSO OUTPUT command, including operands for deleting and printing. Also, when specified for a discrete profile, ALTER lets the user change the profile itself.
Note: If SDSF is installed on your system, JESSPOOL profiles control which action characters and overtypeable fields users can enter on SDSF panels. For complete information on creating JESSPOOL profiles for use with SDSF, see z/OS SDSF Operation and Customization.
Parent topic: Controlling access to spool data

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014