Your installation can require that only certain operators issue
certain JES2 commands. There could also be a requirement to restrict
commands coming in from RJE workstations, NJE nodes, or any other
device.
To control commands, you should review the commands and your installation's
security policy with your RACF® administrator and determine:
- The list of commands you need to control
- The command profile names
- The appropriate the authority level for any restricted commands
- The authority level your policy requires to issue a particular
command
- the list of users or groups authorized to issue each command.
The command resource names have the format:
jesname.command[.qualifier]
where:
- jesname
- The name of the JES2 system requesting the command validation.
- command
- The name of the command.
- qualifier
- The type of object the command specifies. (For example, JOB or
SYS.)
Table 2 contains a list of commands,
a sample resource name for each command, and the minimum required
authority level for each command. (If you give an operator access
to a command with a lower authority than the authority in the table, RACF will not allow the operator to issue the command.) The
authority levels give you a means of controlling commands that can
affect your installation's processing.
Ensure that your RACF administrator activates the
OPERCMDS class and defines each command profile to that class. In
order to minimize the number of definitions, commands should be defined
with generic profile name unless you are restricting specific commands.
Supply your RACF administrator with a generic name that
covers a group of commands and then group restricted commands in that
group with a more specific name. For example,
jesx.*
would define all commands as a group. Then,
jesx.START.*
defines all start commands.
The first definition, jesx.*, could restrict a group of operators
to only the commands that need READ authority. Then your RACF administrator would define any operators who would need
access to all the start commands with CONTROL authority. The operators
with CONTROL authority are able to issue all commands based on the RACF authority hierarchy shown in Table 1.
Table 1. RACF command
authority hierarchy. The following assumes a specific
profile does not exist that would prevent the operator from issuing
a command.| Access Level |
Commands Operator Can Issue |
|---|
| CONTROL |
All commands |
| UPDATE |
All commands specified with UPDATE or READ |
| READ |
Only commands specified with READ |
If you need to restrict commands to specific consoles, your RACF administrator should define an operator's access conditional
to the console from which the operator enters the command. For more
information on conditional access, see z/OS Security Server RACF Security Administrator's Guide.
If you expect commands to enter your system from local readers,
you must have an operator issue the $S RDRx command rather
than have JES2 start the reader. This ensures RACF has
a specific userid to use when checking command authorization.
To control the commands entering from RJE workstations your security
administrator must do the following:
- Define the RJE workstation profile in the RACF FACILITY
class.
- Define the RJE workstation as a valid RACF userid
using the remote name.
- Permit the RJE userid to the command profiles the node can issue.
The FACILITY class profile for RMT(1) has the form:
RJE.RMT1
The userid your administrator would define to RACF is RMT1.
Your administrator would use a similar process to define an NJE
node in order to control commands.
- Define the node to the RACF NODES class
- Define the node to the RACF FACILITY class
- Define the node as a RACF userid
- Permit the node's userid to the command profiles the node can
issue
The FACILITY class profile for node 1 named HYDEPARK is:
NJE.HYDEPARK
To control access to commands from other NJE nodes, use the following
NODES class profile:
*.RUSER.*
Your security policy can require auditing of all commands issued,
even if they are not valid on your system. You can audit commands
that might be unknown to JES2 by defining a profile called JESx.UNKNOWN
with a UACC of NONE and an AUDIT value of ALL. JES2 validates all
unknown commands with the JESx.UNKNOWN profile.
If you need a finer level of control over your commands (for example,
you want only certain operators to change the routing of a printer),
you should use JES2 Exit 36. See z/OS JES2 Installation Exits for information about Exit 36.
Table 2. JES2
commands with profile names and minimum required authority| JES2 command |
Example profile name |
Minimum required user access level |
|---|
| $A A |
jesx.MODIFYRELEASE.JOB |
UPDATE |
| $A J |
jesx.MODIFYRELEASE.BAT |
UPDATE |
| $A JOBQ |
jesx.MODIFYRELEASE.JST |
UPDATE |
| $A S |
jesx.MODIFYRELEASE.STC |
UPDATE |
| $A T |
jesx.MODIFYRELEASE.TSU |
UPDATE |
| $ACTIVATE |
jesx.ACTIVATE.FUNCTION |
CONTROL |
| $ADD APPL |
jesx.ADD.APPL |
CONTROL |
| $ADD CONNECT |
jesx.ADD.CONNECT |
CONTROL |
| $ADD DESTID |
jesx.ADD.DESTID |
CONTROL |
| $ADD FSS |
jesx.ADD.FSS |
CONTROL |
| $ADD JOBCLASS |
jesx.ADD.JOBCLASS |
CONTROL |
| $ADD LINE |
jesx.ADD.LINE |
CONTROL |
| $ADD LOADMOD |
jesx.ADD.LOADMOD |
CONTROL |
| $ADD LOGON |
jesx.ADD.LOGON |
CONTROL |
| $ADD NETSRV |
jesx.ADD.NETSRV |
CONTROL |
| $ADD PROCLIB |
jesx.ADD.PROCLIB |
CONTROL |
| $ADD PRTnnnn |
jesx.ADD.DEV |
UPDATE |
| $ADD REDIRECT |
jesx.ADD.REDIRECT |
CONTROL |
| $ADD RMT |
jesx.ADD.RMT |
CONTROL |
| $ADD SOCKET |
jesx.ADD.SOCKET |
CONTROL |
| $ADD SRVCLASS |
jesx.ADD.SRVCLASS |
CONTROL |
| $B device |
jesx.BACKSP.DEV |
UPDATE |
| $C A** |
jesx.CANCEL.AUTOCMD |
****** |
| $C J |
jesx.CANCEL.BAT |
UPDATE |
| $C Lx.yy |
jesx.CANCEL.DEV |
UPDATE |
| $C O J |
jesx.CANCEL.BATOUT |
UPDATE |
| $C O JOBQ |
jesx.CANCEL.JSTOUT |
UPDATE |
| $C O S |
jesx.CANCEL.STCOUT |
UPDATE |
| $C O T |
jesx.CANCEL.TSUOUT |
UPDATE |
| $C S |
jesx.CANCEL.STC |
UPDATE |
| $C T |
jesx.CANCEL.TSU |
UPDATE |
| $C device |
jesx.CANCEL.DEV |
UPDATE |
| $C OFFn.JR |
jesx.CANCEL.DEV |
UPDATE |
| $C OFFn.JT |
jesx.CANCEL.DEV |
UPDATE |
| $C OFFn.SR |
jesx.CANCEL.DEV |
UPDATE |
| $C OFFn.ST |
jesx.CANCEL.DEV |
UPDATE |
| $D A |
jesx.DISPLAY.JOB |
READ |
| $D ACTIVATE |
jesx.DISPLAY.ACTIVATE |
READ |
| $D ACTRMT |
jesx.DISPLAY.ACTRMT |
READ |
| $D APPL |
jesx.DISPLAY.APPL |
READ |
| $D CKPTDEF |
jesx.DISPLAY CKPTDEF |
READ |
| $D CLASSGRP |
jesx.DISPLAY.CLASSGRP |
READ |
| $D CONDEF |
jesx.DISPLAY.CONDEF |
READ |
| $D CONNECT |
jesx.DISPLAY.CONNECT |
READ |
| $D DESTDEF |
jesx.DISPLAY.DESTDEF |
READ |
| $D DEStid |
jesx.DISPLAY.DESTID |
READ |
| $D F |
jesx.DISPLAY.QUE |
READ |
| $D I |
jesx.DISPLAY.INITIATOR |
READ |
| $D INITINFO |
jesx.DISPLAY.INITINFO |
READ |
| $D J |
jesx.DISPLAY.BAT |
READ |
| $D JES2 |
jesx.DISPLAY.SYS |
READ |
| $D JOBCLASS |
jesx.DISPLAY.JOBCLASS |
READ |
| $D JOBQ |
jesx.DISPLAY.JST |
READ |
| $D L(nnnn).JR(n) |
jesx.DISPLAY.L |
READ |
| $D L(nnnn).JT(n) |
jesx.DISPLAY.L |
READ |
| $D L(nnnn).SR(n) |
jesx.DISPLAY.L |
READ |
| $D L(nnnn).ST(n) |
jesx.DISPLAY.L |
READ |
| $D LINE |
jesx.DISPLAY.LINE |
READ |
| $D LOADmod |
jesx.DISPLAY.LOADMOD |
READ |
| $D M |
jesx.SEND.MESSAGE |
READ |
| $D MASDEF |
jesx.DISPLAY.MASDEF |
READ |
| $D MEMBer |
jesx.DISPLAY.SYS |
READ |
| $D MODULE |
jesx.DISPLAY.MODULE |
READ |
| $D N |
jesx.DISPLAY.JOB |
READ |
| $D NETSRV |
jesx.DISPLAY.NETSRV |
READ |
| $D NJEDEF |
jesx.DISPLAY.NJEDEF |
READ |
| $D NODE |
jesx.DISPLAY.NODE |
READ |
| $D O J |
jesx.DISPLAY.BATOUT |
READ |
| $D O JOBQ |
jesx.DISPLAY.JSTOUT |
READ |
| $D OPTSDEF |
jesx.DISPLAY.OPTSDEF |
READ |
| $D O S |
jesx.DISPLAY.STCOUT |
READ |
| $D O T |
jesx.DISPLAY.TSUOUT |
READ |
| $D PATH |
jesx.DISPLAY.PATH |
READ |
| $D PCE |
jesx.DISPLAY.PCE |
READ |
| $D PROCLIB |
jesx.DISPLAY.PROCLIB |
READ |
| $D PRT |
jesx.DISPLAY.DEV |
READ |
| $D PRTnnnn |
jesx.DISPLAY.DEV |
READ |
| $D Q |
jesx.DISPLAY.JOB |
READ |
| $D REBLD |
jesx.DISPLAY.REBLD |
READ |
| $D RDI |
jesx.DISPLAY.RDI |
READ |
| $D RDRnn |
jesx.DISPLAY.DEV |
READ |
| $D Rnnnnn.CON |
jesx.DISPLAY.DEV |
READ |
| $D Rnnnnn.PRm |
jesx.DISPLAY.DEV |
READ |
| $D Rnnnnn.PUm |
jesx.DISPLAY.DEV |
READ |
| $D Rnnnnn.RDm |
jesx.DISPLAY.DEV |
READ |
| $D REDIRect |
jesx.DISPLAY.REDIRECT |
READ |
| $D S |
jesx.DISPLAY.STC |
READ |
| $D SOCKET |
jesx.DISPLAY.SOCKET |
READ |
| $D SPOOL |
jesx.DISPLAY.SPOOL |
READ |
| $D SPOOLDEF |
jesx.DISPLAY.SPOOLDEF |
READ |
| $D SRVCLASS |
jesx.DISPLAY.SRVCLASS |
READ |
| $D SSI |
jesx.DISPLAY.SSI |
READ |
| $D SUBNET |
jesx.DISPLAY.SUBNET |
READ |
| $D T |
jesx.DISPLAY.TSU |
READ |
| $D TRACE(x) |
jesx.DISPLAY.TRACE |
READ |
| $D U |
jesx.DISPLAY.DEV |
READ |
| $D init stmt |
jesx.DISPLAY.initstmt |
READ |
| $D PUNnn |
jesx.DISPLAY.DEV |
READ |
| $DEL CONNECT |
jesx.DEL.CONNECT |
CONTROL |
| $DEL DESTID |
jesx.DEL.DESTID |
CONTROL |
| $DEL JOBCLASS |
jesx.DEL.JOBCLASS |
CONTROL |
| $DEL LOADMOD |
jesx.DEL.LOADMOD |
CONTROL |
| $DEL PROCLIB |
jesx.DEL.PROCLIB |
CONTROL |
| $E CKPTLOCK |
jesx.RESTART.SYS |
CONTROL |
| $E J |
jesx.RESTART.BAT |
CONTROL |
| $E JOBQ |
jesx.RESTART.JST |
CONTROL |
| $E LINE(x) |
jesx.RESTART.LINE |
CONTROL |
| $E LOGON(x) |
jesx.RESTART.LOGON |
CONTROL |
| $E MEMBER() |
jesx.RESTART.SYS |
CONTROL |
| $E NETSRV |
jesx.RESTART.NETSRV |
CONTROL |
| $E OFFn.JT |
jesx.RESTART.DEV |
UPDATE |
| $E OFFn.ST |
jesx.RESTART.DEV |
UPDATE |
| $E device |
jesx.RESTART.DEV |
UPDATE |
| $F device |
jesx.FORWARD.DEV |
UPDATE |
| $G A |
jesx.GMODIFYRELEASE.JOB |
UPDATE |
| $G C |
jesx.GCANCEL.JOB |
UPDATE |
| $G D |
jesx.GDISPLAY.JOB |
READ |
| $G H |
jesx.GMODIFYHOLD.JOB |
UPDATE |
| $G R |
jesx.GROUTE.JOBOUT |
UPDATE |
| $G R (for execution) |
jesx.GROUTE.JOBOUT |
UPDATE |
| $H A |
jesx.MODIFYHOLD.JOB |
UPDATE |
| $H J |
jesx.MODIFYHOLD.BAT |
UPDATE |
| $H JOBQ |
jesx.MODIFYHOLD.JST |
UPDATE |
| $H S |
jesx.MODIFYHOLD.STC |
UPDATE |
| $H T |
jesx.MODIFYHOLD.TSU |
UPDATE |
| $I device |
jesx.INTERRUPT.DEV |
UPDATE |
| $JD DETAILS |
jesxMON.DISPLAY.DETAIL |
READ |
| $JD HISTORY |
jesxMON.DISPLAY.HISTORY |
READ |
| $JD JES |
jesxMON.DISPLAY.JES |
READ |
| $JD MONITOR |
jesxMON.DISPLAY.MONITOR |
READ |
| $JD STATUS |
jesxMON.DISPLAY.STATUS |
READ |
| $J STOP |
jesxMON.STOP.MONITOR |
CONTROL |
| $L J |
jesx.DISPLAY.BATOUT |
READ |
| $L JOBQ |
jesx.DISPLAY.JSTOUT |
READ |
| $L S |
jesx.DISPLAY.STCOUT |
READ |
| $L T |
jesx.DISPLAY.TSUOUT |
READ |
| $M |
jesx.MSEND.CMD |
READ |
| $M SPL |
jesx.MIGRATE.FUNCTION |
CONTROL |
| $N |
jesx.NSEND.CMD |
READ |
| $N device |
jesx.REPEAT.DEV |
UPDATE |
| $O J |
jesx.RELEASE.BATOUT |
UPDATE |
| $O JOBQ |
jesx.RELEASE.JSTOUT |
UPDATE |
| $O S |
jesx.RELEASE.STCOUT |
UPDATE |
| $O T |
jesx.RELEASE.TSUOUT |
UPDATE |
| $P |
jesx.STOP.SYS |
CONTROL |
| $P I |
jesx.STOP.INITIATOR |
CONTROL |
| $P JES2 |
jesx.STOP.SYS |
CONTROL |
| $P JOBQ |
jesx.STOP.JST |
UPDATE |
| $P LINE(x) |
jesx.STOP.LINE |
CONTROL |
| $P LOGON(x) |
jesx.STOP.LOGON |
CONTROL |
| $P NETSRV |
jesx.STOP.NETSRV |
CONTROL |
| $P O J |
jesx.STOP.BATOUT |
UPDATE |
| $P O JOBQ |
jesx.STOP.JSTOUT |
UPDATE |
| $P O S |
jesx.STOP.STCOUT |
UPDATE |
| $P O T |
jesx.STOP.TSUOUT |
UPDATE |
| $P OFFn.JR |
jesx.STOP.DEV |
UPDATE |
| $P OFFn.JT |
jesx.STOP.DEV |
UPDATE |
| $P OFFn.SR |
jesx.STOP.DEV |
UPDATE |
| $P OFFn.ST |
jesx.STOP.DEV |
UPDATE |
| $P OFFLOADn |
jesx.STOP.DEV |
UPDATE |
| $P RMT(x) |
jesx.STOP.RMT |
CONTROL |
| $P S |
jesx.STOP.STC |
UPDATE |
| $P SPOOL |
jesx.STOP.SPOOL |
CONTROL |
| $P SRVCLASS |
jesx.STOP.SRVCLASS |
CONTROL |
| $P T |
jesx.STOP.TSU |
UPDATE |
| $P TRACE(x) |
jesx.STOP.TRACE |
CONTROL |
| $P XEQ |
jesx.STOP.SYS |
CONTROL |
| $P device |
jesx.STOP.DEV |
UPDATE |
| $PO JOBQ |
jesx.STOP.JSTOUT |
UPDATE |
| $PO JOB |
jesx.STOP.BATOUT |
UPDATE |
| $PO STC |
jesx.STOP.STCOUT |
UPDATE |
| $PO TSU |
jesx.STOP.TSUOUT |
UPDATE |
| $R ALL |
jesx.ROUTE.JOBOUT |
UPDATE |
| $R PRT |
jesx.ROUTE.JOBOUT |
UPDATE |
| $R PUN |
jesx.ROUTE.JOBOUT |
UPDATE |
| $R XEQ |
jesx.ROUTE.JOBOUT |
UPDATE |
| $S |
jesx.START.SYS |
CONTROL |
| $S A |
jesx.START.AUTOCMD |
CONTROL |
| $S I |
jesx.START.INITIATOR |
CONTROL |
| $S J |
jesx.START.BAT |
UPDATE |
| $S LINE(x) |
jesx.START.LINE |
CONTROL |
| $S LOGON(x) |
jesx.START.LOGON |
CONTROL |
| $S N |
jesx.START.NET |
CONTROL |
| $S OFFn.JR |
jesx.START.DEV |
UPDATE |
| $S OFFn.JT |
jesx.START.DEV |
UPDATE |
| $S OFFn.SR |
jesx.START.DEV |
UPDATE |
| $S OFFn.ST |
jesx.START.DEV |
UPDATE |
| $S OFFLOADn |
jesx.START.DEV |
UPDATE |
| $S RMT(x) |
jesx.START.RMT |
CONTROL |
| $S SPOOL |
jesx.START.SPOOL |
CONTROL |
| $S SRVCLASS |
jesx.START.SRVCLASS |
CONTROL |
| $S TRACE(x) |
jesx.START.TRACE |
CONTROL |
| $S XEQ |
jesx.START.SYS |
CONTROL |
| $S device |
jesx.START.DEV |
UPDATE |
| $T A(CREATE) |
jesx.MODIFY.AUTOCMD |
READ |
| $T A(OWNER) |
jesx.MODIFY.AUTOCMD |
READ |
| $T A(NOT OWNER) |
jesx.MODIFY.AUTOCMD |
CONTROL |
| $T APPL |
jesx.MODIFY.APPL |
CONTROL |
| $T BUFDEF |
jesx.MODIFY.BUFDEF |
CONTROL |
| $T CKPTDEF |
jesx.MODIFY.CKPTDEF |
CONTROL |
| $T CONDEF |
jesx.MODIFY.CONDEF |
CONTROL |
| $T CONNECT |
jesx.MODIFY.CONNECT |
CONTROL |
| $T DEBUG |
jesx.MODIFY.DEBUG |
CONTROL |
| $T DESTDEF |
jesx.MODIFY.DESTDEF |
CONTROL |
| $T DEStid |
jesx.MODIFY.DESTID |
CONTROL |
| $T ESTBYTE |
jesx.MODIFY.ESTBYTE |
CONTROL |
| $T ESTIME |
jesx.MODIFY.ESTIME |
CONTROL |
| $T ESTLNCT |
jesx.MODIFY.ESTLNCT |
CONTROL |
| $T ESTPAGE |
jesx.MODIFY.ESTPAGE |
CONTROL |
| $T ESTPUN |
jesx.MODIFY.ESTPUN |
CONTROL |
| $T EXIT |
jesx.MODIFY.EXIT |
CONTROL |
| $T FSS |
jesx.MODIFY.FSS |
CONTROL |
| $T I |
jesx.MODIFY.INITIATOR |
CONTROL |
| $T INTRDR |
jesx.MODIFY.INTRDR |
CONTROL |
| $T J |
jesx.MODIFY.BAT |
UPDATE |
| $T JOBCLASS |
jesx.MODIFY.JOBCLASS |
CONTROL |
| $T JOBDEF |
jesx.MODIFY.JOBDEF |
CONTROL |
| $T JOBPRTY |
jesx.MODIFY.JOBPRTY |
CONTROL |
| $T JOBQ |
jesx.MODIFY.JST |
UPDATE |
| $T LINE |
jesx.MODIFY.LINE |
CONTROL |
| $T LOADMOD |
jesx.MODIFY.LOADMOD |
CONTROL |
| $T LOGON |
jesx.MODIFY.LOGON |
CONTROL |
| $T MASDEF |
jesx.MODIFY.MASDEF |
CONTROL |
| $T MEMBER(x) |
jesx.MODIFY.SYS |
CONTROL |
| $T NETSRV |
jesx.MODIFY.NETSRV |
CONTROL |
| $T NODE |
jesx.MODIFY.NODE |
CONTROL |
| $T NJEDEF |
jesx.MODIFY.NJEDEF |
CONTROL |
| $T NUM |
jesx.MODIFY.NUM |
CONTROL |
| $T O J |
jesx.MODIFY.BATOUT |
UPDATE |
| $T O JOBQ |
jesx.MODIFY.JSTOUT |
UPDATE |
| $T O S |
jesx.MODIFY.STCOUT |
UPDATE |
| $T O T |
jesx.MODIFY.TSUOUT |
UPDATE |
| $T OFFx.yy |
jesx.MODIFY.OFF |
CONTROL |
| $T OFFLOADx |
jesx.MODIFY.OFFLOAD |
CONTROL |
| $T OUTCLASS |
jesx.MODIFY.OUTCLASS |
CONTROL |
| $T OUTDEF |
jesx.MODIFY.OUTDEF |
CONTROL |
| $T OUTPRTY |
jesx.MODIFY.OUTPRTY |
CONTROL |
| $T PCE |
jesx.MODIFY.PCE |
CONTROL |
| $T PRINTDEF |
jesx.MODIFY.PRINTDEF |
CONTROL |
| $T PROCLIB |
jesx.MODIFY.PROCLIB |
CONTROL |
| $T RECVopts |
jesx.MODIFY.RECVOPTS |
CONTROL |
| $T REDIRect |
jesx.MODIFY.REDIRECT |
CONTROL |
| $T RMT |
jesx.MODIFY.RMT |
CONTROL |
| $T S |
jesx.MODIFY.STC |
UPDATE |
| $T SMFDEF |
jesx.MODIFY.SMFDEF |
CONTROL |
| $T SOCKET |
jesx.MODIFY.SOCKET |
CONTROL |
| $T SPOOLDEF |
jesx.MODIFY.SPOOLDEF |
CONTROL |
| $T SPOOL |
jesx.MODIFY.SPOOL |
CONTROL |
| $T SRVCLASS |
jesx.MODIFY.SRVCLASS |
CONTROL |
| $T SSI |
jesx.MODIFY.SSI |
CONTROL |
| $T STCCLASS |
jesx.MODIFY.STCCLASS |
CONTROL |
| $T TPDEF |
jesx.MODIFY.TPDEF |
CONTROL |
| $T TRACEDEF |
jesx.MODIFY.TRACEDEF |
CONTROL |
| $T T |
jesx.MODIFY.TSU |
UPDATE |
| $T device |
jesx.MODIFY.DEV |
UPDATE |
| $T init stmt |
jesx.MODIFY.init stmt |
CONTROL |
| $T TSUCLASS |
jesx.MODIFY.TSUCLASS |
CONTROL |
| $VS* |
jesx.VS |
CONTROL |
| $Z A |
jesx.HALT.AUTOCMD |
CONTROL |
| $Z I |
jesx.HALT.INITIATOR |
CONTROL |
| $Z OFFLOADn |
jesx.HALT.DEV |
UPDATE |
| $Z SPOOL |
jesx.HALT.SPOOL |
CONTROL |
| $Z device |
jesx.HALT.DEV |
UPDATE |
| $ZAPJOB |
jesx.ZAP.JOB |
CONTROL |
z/OS JES2 Initialization and Tuning Guide
Copyright IBM Corporation 1990, 2014