Controlling access to SYSIN and SYSOUT

During job execution, JES2 creates data sets for a job's input (SYSIN) and output (SYSOUT). These data sets have profile names in the form: 
localnodeid.userid.jobname.jobid.dsidentifier.name
where:
localnodeid
The name of the node on which the SYSIN or SYSOUT data set currently resides. The localnodeid appears in the JES2 job log of every job.
userid
The userid associated with the job. This is the userid RACF® uses for validation purposes when the job runs.
jobname
The name that appears in the name field of the JOB statement.
jobid
The job number JES2 assigned to the job. The jobid appears in notification messages and the JES2 job log of every job.
dsidentifier
The unique 8-byte alphanumeric character identifier JES2 assigned to this data set. This identifier is an encoded printable representation of the internal data set number (data set key) of the SPOOL data set. The internal data set number and data set name (which includes the dsidentifier) are available from the Extended Status SSI (SSI 80), which is documented in z/OS MVS Using the Subsystem Interface.
Note: The first 10 million data sets that are created by a job can be sorted chronologically by data set name. The same is true for data sets created after the first 10 million data sets. When the two subsets are sorted together, however, the resulting sequence will not be in the order of data set creation.
name
The name of the data set specified in the DSN= parameter of the DD statement. This name cannot be JESYSMSG, JESJCLIN, JESJCL, or JESMSGLG and follows the naming conventions for a temporary data set. See z/OS MVS JCL Reference for the temporary data set naming conventions. If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES2 uses a question mark (?).
For example, if user MYUSER submits a job named MYJOB to run on NODEA, and JES2 assigns a jobid of JOB08237, and the value of DSN= for a SYSOUT data set is OUTPUT, the profile name for a SYSOUT data set created by this job could be: 
NODEA.MYUSER.MYJOB.JOB08237.D0000112.OUTPUT

These data sets might exist after the job completes execution. Your RACF administrator can Start of changerestrictEnd of change access to these data sets by activating the JESSPOOL RACF class. If RACF Start of changeor the JESSPOOL classEnd of change is not active, JES2 Start of changedoes not restrict accessEnd of change to a SYSIN/SYSOUT data set the job creates. Start of changeSome products such as SDSF or TSO/E restrict what SYSIN/SYSOUT data set a user can access, but there are unauthorized APIs that can be used to access any data set on spool when JESSPOOL protection is not active.End of change When RACF Start of changeand the JESSPOOL class areEnd of change active, RACF allows the userid (MYUSER in the preceding example) that creates a SYSIN/SYSOUT data set access to the data set, even though a profile might not exist for the data set. If any other users require access to a spool data set, the owner of the data set would have to define the data set profile (or a generic profile for the data set) and give access (through the RACF PERMIT command) to the users requiring the data.

Note: The data set name JES2 uses in its control blocks is the last 5 qualifiers used to build the RACF profile name.
Parent topic: Controlling access to data that resides on SPOOL