Define the JES command security

JES Job Monitor issues all JES operator commands requested by a user through an extended MCS (EMCS) console, whose name is controlled with the CONSOLE_NAME directive, as documented in FEJJCNFG, the JES Job Monitor configuration file .

The following sample RACF® commands give z/OS® Explorer users conditional access to a limited set of JES commands, which are Hold, Release, Cancel, Purge, change CLASS, and change MSGCLASS. Users have only execution permission if they issue the commands through JES Job monitor. Replace the #console placeholder with the actual console name.

RDEFINE OPERCMDS MVS.MCSOPER.#console UACC(READ) 
DATA('IBM Explorer for z/OS')

```
RDEFINE OPERCMDS JES%.** UACC(NONE)
```

PERMIT JES%.** CLASS(OPERCMDS) ACCESS(UPDATE) WHEN(CONSOLE(JMON)) ID(*)

```
SETROPTS RACLIST(OPERCMDS) REFRESH
```

Note:

Usage of the console is permitted if no MVS.MCSOPER.#console profile is defined.
The CONSOLE class must be active for WHEN(CONSOLE(JMON)) to work, but there is no actual profile check in the CONSOLE class for EMCS consoles.
Do not replace JMON with the actual console name in the WHEN(CONSOLE(JMON)) clause. The JMON keyword represents the point-of-entry application, not the console name.

Attention: Defining JES commands with universal access NONE in your security software might impact other applications and operations. Test the security before activating it on a production system.

Table 1 and Table 2 show the operator commands issued for JES2 and JES3, and the discrete security profiles that can be used to protect them.

Table 1. JES2 Job Monitor operator commands
Action	Command	OPERCMDS profile	Required access
Change CLASS	`$Tx(jobid),C=class` with x = {J, S or T}	`jesname.MODIFY.BAT jesname.MODIFY.STC jesname.MODIFY.TSU`	UPDATE
Change MSGCLASS	`$TOx(jobid),Q=queue` with x = {J, S or T}	`jesname.MODIFY.BATOUT jesname.MODIFY.STCOUT jesname.MODIFY.TSUOUT`	UPDATE
Hold	`$Hx(jobid)` with x = {J, S or T}	`jesname.MODIFYHOLD.BAT jesname.MODIFYHOLD.STC jesname.MODIFYHOLD.TSU`	`UPDATE`
Release	`$Ax(jobid)` with x = {J, S or T}	`jesname.MODIFYRELEASE.BAT jesname.MODIFYRELEASE.STC jesname.MODIFYRELEASE.TSU`	`UPDATE`
Cancel	`$Cx(jobid)` with x = {J, S or T}	`jesname.CANCEL.BAT jesname.CANCEL.STC jesname.CANCEL.TSU`	`UPDATE`
Purge	`$Cx(jobid),P` with x = {J, S or T}	`jesname.CANCEL.BAT jesname.CANCEL.STC jesname.CANCEL.TSU`	`UPDATE`

Table 2. JES3 Job Monitor operator commands
Action	Command	OPERCMDS profile	Required access
Change CLASS	`*F,J=jobid,C=class`	`jesname.MODIFY.JOB`	UPDATE
Change MSGCLASS	`*F,U,J=jobid,NCL=class`	`jesname.MODIFY.U`	UPDATE
Hold	`*F,J=jobid,H`	`jesname.MODIFY.JOB`	`UPDATE`
Release	`*F,J=jobid,R`	`jesname.MODIFY.JOB`	`UPDATE`
Cancel	`*F,J=jobid,C`	`jesname.MODIFY.JOB`	`UPDATE`
Purge	`*F,J=jobid,C`	`jesname.MODIFY.JOB`	`UPDATE`

Note:

The Hold, Release, Cancel, Purge, change CLASS, and change MSGCLASS JES operator commands, and the Show JCL command, can be executed only against spool files owned by the client user ID, unless LIMIT_COMMANDS= with value LIMITED or NOLIMIT is specified in the JES Job Monitor configuration file. For more information, see "Actions against jobs - target limitations" in the Host Configuration Reference Guide (SC27-8438).
Users can browse any spool file, unless LIMIT_VIEW=USERID is defined in the JES Job Monitor configuration file. For more information, see "Access to spool files" in Host Configuration Reference Guide (SC27-8438).
Even if users are not authorized for these operator commands, they will still be able to submit jobs and read job output through JES Job Monitor if they have sufficient authority to possible profiles that protect these resources, such as those in the JESINPUT, JESJOBS and JESSPOOL classes.

Assuming the identity of the JES Job Monitor server by creating a JMON console from a TSO session is prevented by your security software. Even though the console can be created, the point of entry is different; for example, JES Job Monitor versus TSO. JES commands issued from this console will fail the security check if your security is set up as documented in this publication and the user does not have authority to the JES commands through other means.