Programming Considerations

Register 1 points to a parameter list (defined by macro IATYSSX). Values at the following labels fall into two categories: those that can be modified and those that can only be read.

The following list shows labels whose values can be modified:

SSXATTR

Specifies the access authority of the user or group permitted access to the JES3 resource for which authorization checking is to be performed:

SSXAALTR – User or group has total control over the resource.
SSXACNTL – For VSAM data sets, the user or group has authority equivalent to the VSAM control password. For non-VSAM data sets and other resources, the user or group has UPDATE authority
SSXAUPDT – User or group can open the resource to read or write.
SSXAREAD – User or group can open the resource to read only.

See z/OS JES3 Initialization and Tuning Guide for information about how these authorization levels affect the specific JES3 resources (SSXCLASS).

SSXEXNOD

A nine-byte field where the first byte is the length of the execution node, and the remaining eight bytes contains the execution node name. The execution node is the node where the job executed.

SSXENTIT

Specifies the resource name for which RACF® security processing is to performed. For example, for an *INQUIRY,X command the resource name is

JES3.DISPLAY.X

If a TSO user cancels a job, the resource name is

CANCEL.node.userid.jobname

The resource name can be from zero to 53 bytes long.

If SSX1ENTX is set, SSXENTIT is in ENTITYX format.

SSXGROUP

A nine-byte field where the first byte is the length of the group name, and the remaining eight bytes contains the RACF group name. See your RACF administrator for valid RACF group names for your installation.

SSXJOBNM

Specifies the eight-character job name.

SSXLOG

Specifies how SAF or RACF should log the reason for the IATXSEC call (SSXLGSTR) in the SMF data sets.

SSXASIS: RACF should record the events in the manner specified in the profile that protects the resource. See your RACF administrator for more information about RACF profiles.
SSXNFAIL: If the authorization check fails, the attempt is not recorded. If the authorization check succeeds, the attempt is recorded in the manner specified in the RACF profile that protects the resource.
SSXNSTAT: The attempt is not recorded and no resource statistics are updated.
SSXNONE: The event is not recorded.

SSXLGSTR

Specifies the address of a character string that RACF adds to the SMF record. This character string indicates the IATXSEC macro call was made. The SMF log string can be from zero to 255 bytes long. The first byte must contain the length of the string.

SSXNPASS

A nine-byte field where the first byte is the length of the user's new password, and the remaining eight bytes contains the new password.

SSXPASCK

Specifies whether the password should be checked by RACF.

SSXPCYES: RACF should check the password.
SSXPCNO: RACF should not check the password.

SSXPASWD

A nine-byte field where the first byte is the length of the password, and the remaining eight bytes contain the password.

SSXPOE

Specifies an eight-byte field containing the name of the input device from which the job was submitted. For example, the input device for a job submitted through a card reader is the SUPUNIT DD name of the card reader device.

SSXRECVR

Specifies an eight-byte field containing the userid of the user who has the authority to access the resource when there are no profiles for the resource. For example, in normal cases, if user A sends a data set to user B, user B would have to be authorized to access user A's data sets. However, by specifying RECVR=useridB, user B can receive the data set without being authorized.

SSXRTOKN

Specifies a resource security token. The resource security token is the user token the creator of the resource has at the time the resource was created. For example, when a TSO user cancels a job, the resource security token is the user token of the person who submitted the job in the first place.

SSXSECLB

Specifies the eight-byte field containing the security label. The security label represents the association between a particular security level (for example, FOR YOUR EYES ONLY) and a set of security categories (for example, CONTROL and KAOS). For information about the security labels for your installation, contact your RACF administrator.

SSXSGRP

A nine-byte field where the first byte is the length of the submittor's group name, and the remaining eight bytes contain the submittor's RACF group name. See your RACF administrator for valid RACF group names.

SSXSNODE

A nine-byte field where the first byte is the length of the submittor's node name, and the remaining eight bytes contain the submittor's node name.

SSXSTOKN

Specifies the submittor's security token.

SSXSUSRI

A nine-byte field where the first byte is the length of the submittor's userid and the remaining eight bytes contain the submittor's userid.

SSXSSION

Specifies the type of session as one of the following:

SSXSSEXB – External batch session
SSXSSINB – Internal batch session
SSXSSNJB – NJE batch session
SSXSSRJB – RJE batch session
SSXSSNJO – NJE operator session
SSXSSRJO – RJE operator session
SSXSSSTR – Started task session
SSXSSTSO – TSO session
SSXSSNJE – NJE SYSOUT session
SSXSSTKU – NJE unknown user session

SSXTOKIN

Specifies the input security token.

SSXTOKOT

Specifies the output security token.

SSXTRUST

Specifies whether the user is a member of the trusted computer base.

SSXTRYES: The user is a member of the trusted computer base.
SSXTRNO: The user is not a member of the trusted computer base.

SSXUSERI

A nine-byte field where the first byte is the length of the userid and the remaining eight bytes contains the userid.

SSXUTOKN

Specifies the user security token. The user security token represents the person that requires authorization to the resource. For example, when a TSO user cancels a job, the user security token represents the TSO user performing the cancel.

SSXWORKA

Specifies the address of the security authorization facility (SAF) work area.

SSXPSSCS

Address of the Cancel SSOB extension used when IATXSEC is used to authorize a TSO CANCEL command.

SSXPTMID

Address of the TSO terminal identifier used when IATXSEC is used to authorize a TSO CANCEL command.

SSXJRFL1

Specifies where the JESNEWS data set is to be printed.

SSXPRG: Specifies that the JESNEWS data set is to be purged after the current user is finished using it.
SSXLCL: Specifies that the JESNEWS output is to be sent to local printers.
SSXTSO: Specifies that the JESNEWS output is to be sent to TSO users.
SSXRJP: Specifies that the JESNEWS output is to be sent to remote printers (RJP).
SSXDSN: Specifies that the JESNEWS output is to be sent to local, TSO, and RJP printers.

SSXNEWFL

Specifies the type of JESNEWS function requested.

SSXJNEW: Indicates a request to add to the JESNEWS data set.
SSXJREP: Indicates a request to replace the JESNEWS data set.
SSXJDEL: Indicates a request to delete from the JESNEWS data set.
SSXJTYP: Indicates that nothing is to be done with the JESNEWS data set.
SSXPRCS: Indicates that JESNEWS was started with the //*PROCESS statement.
SSXPWD: Indicates that the JESNEWS password was entered correctly.

The following list shows labels whose values can only be read:

SSXCLASS

Specifies the name of the RACF class as one of the following:

Table 1. RACF Classes Used to Protect JES3 Resources
Resource:	RACF Class:
Job data sets (SYSIN/SYSOUT)	JESSPOOL
JES3 writers	WRITER
TSO SUBMIT/CANCEL	JESJOBS
Job class	JESJOBS
Commands (other than RJP/NJE)	OPERCMDS
USERIDS	USER

SSXMCNTL

Specifies how JES3 should handle messages from SAF, installation exit IATUX58, or installation exit IATUX59.

SSXMCWTO: Specifies that SAF or the installation exits should write messages to the operator.
SSXMCRTN: Specifies that messages should be returned to the caller.
SSXMCJES: Specifies that messages should be written to the job's JESMSGLG data set. This is done by module IATGRSC.

SSXMODE

Specifies the phase of JES3 processing the caller of IATXSEC is in as one of the following:

SSXNUCMD: The caller is running under the JES3 NUC task.
SSXINIMD: IATXSEC is being issued during JES3 initialization.
SSXSTKMD: The caller is running under a JES3 subtask.
SSXUSRMD: The caller is running in a user's address space.

SSXFRMOT

Specifies the format for the output token (SSXTOKOT) as one of the following:

SSXFOINT: The security product should convert the token from the external to the internal (encrypted) format.
SSXFOEXT: The security product should convert the token from the internal (encrypted) to the external format.

SSXENCRY

For a REQUEST=EXTRACT TYPE=ENCRYPT, specifies the address of the data to be encrypted. The first byte of the address is the length of the data.

SSXENCRT

For a REQUEST=VERIFYX, specifies whether the password needs to be encrypted.

SSXENCYS: Indicates that the password needs to be encrypted.
SSXENCNO: Indicates that the password does not need to be encrypted.

SSXNJEJH

Specifies the address of the NJE job header.

SSXNJEDH

Specifies the address of the NJE data set header.

SSXWPSLC

Specifies the number of different selection characteristics that are being used (length of SSXWPSLM).

SSXWJNAM

Specifies the 8-character job name.

SSXWJBID

Specifies the 8-character job identifier.

SSXDDSN

Specifies the 24-character writer DDNAME.

SSXWPSLM

Specifies the 16-byte selection mask.

SSXOPRTY

Specifies the priority of the job's output.

SSXODEST

Specifies the 8-byte destination of the job's output.

SSXOMDID

Specifies the output's 4-byte copy mod identifier.

SSXOSTCK

Specifies whether a stacker is required.

SSXOTYPE

Specifies the 8-byte device type required (for example, PRT3211).

SSXOFRMS

Specifies the 8-byte type of form required.

SSXOFLSH

Specifies the 4-byte flash required.

SSXOUCS

Specifies the 4-byte required UCS identifier.

SSXOCLSS

Specifies the SYSOUT class.

SSXOMODE

Specifies the 8-byte process mode.

SSXOFLAG

Specifies the following (These values are the same as the values of OSEFLAG in IATYOSE):

OSECMPLT: All output elements are complete.
OSESCHD: The element is scheduled for output.
OSEPEND: The output is pending.
OSEWHOLD: The output is held.
OSERMTD: The destination is a remote node.
OSEOPEND: The data set has been processed but is not yet complete.
OSESYS: The data set is held.
OSETSO: The TSO data set is held.

SSXOWTRN

Specifies the external writer name.

SSXODISP

Specifies the output disposition using the same values as defined for OSEODISP in IATYOSE:

OSEODWRT: WRITE output disposition
OSEODHLD: HOLD output disposition
OSEODKEP: KEEP output disposition
OSEODLEV: LEAVE output disposition

SSXOSSSO

For process SYSOUT (PSO), specifies the address of IEFSSSO.