Define JES command security

JES Job Monitor issues all JES operator commands requested by a user through an extended MCS (EMCS) console, whose name is controlled with the CONSOLE_NAME directive, as documented in FEJJCNFG, JES Job Monitor configuration file.

The following sample RACF® commands give z/OS® Explorer users conditional access to a limited set of JES commands: Hold, Release, Cancel, and Purge. Users have only execution permission if they issue the commands through JES Job monitor. Replace the #console variable with the actual console name.

RDEFINE OPERCMDS MVS.MCSOPER.#console UACC(READ) 
DATA('IBM Explorer for z/OS')

```
RDEFINE OPERCMDS JES%.** UACC(NONE)
```

PERMIT JES%.** CLASS(OPERCMDS) ACCESS(UPDATE) WHEN(CONSOLE(JMON)) ID(*)

```
SETROPTS RACLIST(OPERCMDS) REFRESH
```

Note:

Usage of the console is permitted if no MVS.MCSOPER.#console profile is defined.
The CONSOLE class must be active for WHEN(CONSOLE(JMON)) to work, but there is no actual profile check in the CONSOLE class for EMCS consoles.
Do not replace JMON with the actual console name in the WHEN(CONSOLE(JMON)) clause. The JMON keyword represents the point-of-entry application, not the console name.

Attention: Defining JES commands with universal access NONE in your security software might impact other applications and operations. Test the impact before activating the universal access on a production system.