Authorizing the use of operator commands

Your installation can require that only certain operators issue certain JES2 commands. There could also be a requirement to restrict commands coming in from RJE workstations, NJE nodes, or any other device.

To control commands, you should review the commands and your installation's security policy with your RACF® administrator and determine:

The list of commands you need to control
The command profile names
The appropriate the authority level for any restricted commands
The authority level your policy requires to issue a particular command
The list of users or groups authorized to issue each command.

The command resource names have the format:

jesname.command[.qualifier]

where:

jesname: The name of the JES2 system requesting the command validation.
command: The name of the command.
qualifier: The type of object the command specifies. (For example, JOB or SYS.)

Table 2 contains a list of commands, a sample resource name for each command, and the minimum required authority level for each command. (If you give an operator access to a command with a lower authority than the authority in the table, RACF will not allow the operator to issue the command.) The authority levels give you a means of controlling commands that can affect your installation's processing.

Ensure that your RACF administrator activates the OPERCMDS class and defines each command profile to that class. In order to minimize the number of definitions, commands should be defined with generic profile name unless you are restricting specific commands. Supply your RACF administrator with a generic name that covers a group of commands and then group restricted commands in that group with a more specific name. For example,

jesx.*

would define all commands as a group. Then,

jesx.START.*

defines all start commands.

The first definition, jesx.*, could restrict a group of operators to only the commands that need READ authority. Then your RACF administrator would define any operators who would need access to all the start commands with CONTROL authority. The operators with CONTROL authority are able to issue all commands based on the RACF authority hierarchy shown in Table 1.

Table 1. RACF command authority hierarchy. The following assumes a specific profile does not exist that would prevent the operator from issuing a command.
Access level	Commands that the operator can issue
CONTROL	All commands
UPDATE	All commands specified with UPDATE or READ
READ	Only commands specified with READ

If you need to restrict commands to specific consoles, your RACF administrator should define an operator's access conditional to the console from which the operator enters the command. For more information on conditional access, see z/OS Security Server RACF Security Administrator's Guide.

If you expect commands to enter your system from local readers, you must have an operator issue the $S RDRx command rather than have JES2 start the reader. This ensures RACF has a specific user ID to use when checking command authorization.

To control the commands entering from RJE workstations your security administrator must do the following:

Define the RJE workstation profile in the RACF FACILITY class.
Define the RJE workstation as a valid RACF user ID using the remote name.
Permit the RJE user ID to the command profiles the node can issue.

The FACILITY class profile for RMT(1) has the form:

RJE.RMT1

The user ID your administrator would define to RACF is RMT1.

Your administrator would use a similar process to define an NJE node in order to control commands.

Define the node to the RACF NODES class
Define the node to the RACF FACILITY class
Define the node as a RACF user ID
Permit the node's user ID to the command profiles the node can issue

The FACILITY class profile for node 1 named HYDEPARK is:

NJE.HYDEPARK

To control access to commands from other NJE nodes, use the following NODES class profile:

*.RUSER.*

Your security policy can require auditing of all commands issued, even if they are not valid on your system. You can audit commands that might be unknown to JES2 by defining a profile called JESx.UNKNOWN with a UACC of NONE and an AUDIT value of ALL. JES2 validates all unknown commands with the JESx.UNKNOWN profile.

If you need a finer level of control over your commands (for example, you want only certain operators to change the routing of a printer), you should use JES2 Exit 36. See z/OS JES2 Installation Exits for information about Exit 36.

Table 2. JES2 commands with profile names and minimum required authority
JES2 command	Example profile name	Minimum required user access level
$A A	jesx.MODIFYRELEASE.JOB	UPDATE
$A G	jesx.MODIFYRELEASE.GROUP	UPDATE
$A J	jesx.MODIFYRELEASE.BAT	UPDATE
$A JOBQ	jesx.MODIFYRELEASE.JST	UPDATE
$A S	jesx.MODIFYRELEASE.STC	UPDATE
$A T	jesx.MODIFYRELEASE.TSU	UPDATE
$ACTIVATE	jesx.ACTIVATE.FUNCTION	CONTROL
$ADD APPL	jesx.ADD.APPL	CONTROL
$ADD CONNECT	jesx.ADD.CONNECT	CONTROL
$ADD DESTID	jesx.ADD.DESTID	CONTROL
$ADD FSS	jesx.ADD.FSS	CONTROL
$ADD JOBCLASS	jesx.ADD.JOBCLASS	CONTROL
$ADD LINE	jesx.ADD.LINE	CONTROL
$ADD LOADMOD	jesx.ADD.LOADMOD	CONTROL
$ADD LOGON	jesx.ADD.LOGON	CONTROL
$ADD NETSRV	jesx.ADD.NETSRV	CONTROL
$ADD PROCLIB	jesx.ADD.PROCLIB	CONTROL
$ADD PRTnnnn	jesx.ADD.DEV	UPDATE
$ADD REDIRECT	jesx.ADD.REDIRECT	CONTROL
$ADD RMT	jesx.ADD.RMT	CONTROL
$ADD SOCKET	jesx.ADD.SOCKET	CONTROL
$ADD SRVCLASS	jesx.ADD.SRVCLASS	CONTROL
$B device	jesx.BACKSP.DEV	UPDATE
$C A**	jesx.CANCEL.AUTOCMD	******
$C G	jesx.CANCEL.GROUP	UPDATE
$C J	jesx.CANCEL.BAT	UPDATE
$C Lx.yy	jesx.CANCEL.DEV	UPDATE
$C O G	jesx.CANCEL.GROUPOUT	UPDATE
$C O J	jesx.CANCEL.BATOUT	UPDATE
$C O JOBQ	jesx.CANCEL.JSTOUT	UPDATE
$C O S	jesx.CANCEL.STCOUT	UPDATE
$C O T	jesx.CANCEL.TSUOUT	UPDATE
$C S	jesx.CANCEL.STC	UPDATE
$C T	jesx.CANCEL.TSU	UPDATE
$C device	jesx.CANCEL.DEV	UPDATE
$C OFFn.JR	jesx.CANCEL.DEV	UPDATE
$C OFFn.JT	jesx.CANCEL.DEV	UPDATE
$C OFFn.SR	jesx.CANCEL.DEV	UPDATE
$C OFFn.ST	jesx.CANCEL.DEV	UPDATE
$D A	jesx.DISPLAY.JOB	READ
$D ACTIVATE	jesx.DISPLAY.ACTIVATE	READ
$D ACTRMT	jesx.DISPLAY.ACTRMT	READ
$D APPL	jesx.DISPLAY.APPL	READ
$D CKPTDEF	jesx.DISPLAY.CKPTDEF	READ
$D CLASSGRP	jesx.DISPLAY.CLASSGRP	READ
$D CONDEF	jesx.DISPLAY.CONDEF	READ
$D CONNECT	jesx.DISPLAY.CONNECT	READ
$D DESTDEF	jesx.DISPLAY.DESTDEF	READ
$D DEStid	jesx.DISPLAY.DESTID	READ
$D DUPJOB	jesx.DISPLAY.DUPJOB	READ
$D F	jesx.DISPLAY.QUE	READ
$D G	jesx.DISPLAY.GROUP	READ
$D GRPDEF	jesx.DISPLAY.GROUPDEF	READ
$D I	jesx.DISPLAY.INITIATOR	READ
$D INITINFO	jesx.DISPLAY.INITINFO	READ
$D INPUTDEF	jesx.DISPLAY.INPUTDEF	READ
$D J	jesx.DISPLAY.BAT	READ
$D JECLDEF	jesx.DISPLAY.JECLDEF	READ
$D JES2	jesx.DISPLAY.SYS	READ
$D JOBCLASS	jesx.DISPLAY.JOBCLASS	READ
$D JOBQ	jesx.DISPLAY.JST	READ
$D L(nnnn).JR(n)	jesx.DISPLAY.L	READ
$D L(nnnn).JT(n)	jesx.DISPLAY.L	READ
$D L(nnnn).SR(n)	jesx.DISPLAY.L	READ
$D L(nnnn).ST(n)	jesx.DISPLAY.L	READ
$D LIMITS	jesx.DISPLAY.LIMITS	READ
$D LINE	jesx.DISPLAY.LINE	READ
$D LOADmod	jesx.DISPLAY.LOADMOD	READ
$D M	jesx.SEND.MESSAGE	READ
$D MASDEF	jesx.DISPLAY.MASDEF	READ
$D MEMBer	jesx.DISPLAY.SYS	READ
$D MODULE	jesx.DISPLAY.MODULE	READ
$D N	jesx.DISPLAY.JOB	READ
$D NETSRV	jesx.DISPLAY.NETSRV	READ
$D NJEDEF	jesx.DISPLAY.NJEDEF	READ
$D NODE	jesx.DISPLAY.NODE	READ
$D O G	jesx.DISPLAY.GROUPOUT	READ
$D O J	jesx.DISPLAY.BATOUT	READ
$D O JOBQ	jesx.DISPLAY.JSTOUT	READ
$D OPTSDEF	jesx.DISPLAY.OPTSDEF	READ
$D O S	jesx.DISPLAY.STCOUT	READ
$D O T	jesx.DISPLAY.TSUOUT	READ
$D PATH	jesx.DISPLAY.PATH	READ
$D PCE	jesx.DISPLAY.PCE	READ
$D PROCLIB	jesx.DISPLAY.PROCLIB	READ
$D PRT	jesx.DISPLAY.DEV	READ
$D PRTnnnn	jesx.DISPLAY.DEV	READ
$D Q	jesx.DISPLAY.JOB	READ
$D REBLD	jesx.DISPLAY.REBLD	READ
$D RDI	jesx.DISPLAY.RDI	READ
$D RDRnn	jesx.DISPLAY.DEV	READ
$D Rnnnnn.CON	jesx.DISPLAY.DEV	READ
$D Rnnnnn.PRm	jesx.DISPLAY.DEV	READ
$D Rnnnnn.PUm	jesx.DISPLAY.DEV	READ
$D Rnnnnn.RDm	jesx.DISPLAY.DEV	READ
$D REDIRect	jesx.DISPLAY.REDIRECT	READ
$D S	jesx.DISPLAY.STC	READ
$D SOCKET	jesx.DISPLAY.SOCKET	READ
$D SPOOL	jesx.DISPLAY.SPOOL	READ
$D SPOOLDEF	jesx.DISPLAY.SPOOLDEF	READ
$D SRVCLASS	jesx.DISPLAY.SRVCLASS	READ
$D SSI	jesx.DISPLAY.SSI	READ
$D SUBNET	jesx.DISPLAY.SUBNET	READ
$D T	jesx.DISPLAY.TSU	READ
$D TRACE(x)	jesx.DISPLAY.TRACE	READ
$D U	jesx.DISPLAY.DEV	READ
$D initstmt	jesx.DISPLAY.initstmt	READ
$D PUNnn	jesx.DISPLAY.DEV	READ
$DEL CONNECT	jesx.DEL.CONNECT	CONTROL
$DEL DESTID	jesx.DEL.DESTID	CONTROL
$DEL JOBCLASS	jesx.DEL.JOBCLASS	CONTROL
$DEL LOADMOD	jesx.DEL.LOADMOD	CONTROL
$DEL PROCLIB	jesx.DEL.PROCLIB	CONTROL
$E CKPTLOCK	jesx.RESTART.SYS	CONTROL
$E J	jesx.RESTART.BAT	CONTROL
$E JOBQ	jesx.RESTART.JST	CONTROL
$E LINE(x)	jesx.RESTART.LINE	CONTROL
$E LOGON(x)	jesx.RESTART.LOGON	CONTROL
$E MEMBER()	jesx.RESTART.SYS	CONTROL
$E NETSRV	jesx.RESTART.NETSRV	CONTROL
$E OFFn.JT	jesx.RESTART.DEV	UPDATE
$E OFFn.ST	jesx.RESTART.DEV	UPDATE
$E device	jesx.RESTART.DEV	UPDATE
$F device	jesx.FORWARD.DEV	UPDATE
$G A	jesx.GMODIFYRELEASE.JOB	UPDATE
$G C	jesx.GCANCEL.JOB	UPDATE
$G D	jesx.GDISPLAY.JOB	READ
$G H	jesx.GMODIFYHOLD.JOB	UPDATE
$G R	jesx.GROUTE.JOBOUT	UPDATE
$G R (for execution)	jesx.GROUTE.JOBOUT	UPDATE
$H A	jesx.MODIFYHOLD.JOB	UPDATE
$H G	jesx.MODIFYHOLD.GROUP	UPDATE
$H J	jesx.MODIFYHOLD.BAT	UPDATE
$H JOBQ	jesx.MODIFYHOLD.JST	UPDATE
$H S	jesx.MODIFYHOLD.STC	UPDATE
$H T	jesx.MODIFYHOLD.TSU	UPDATE
$I device	jesx.INTERRUPT.DEV	UPDATE
$JD DETAILS	jesxMON.DISPLAY.DETAIL	READ
$JD HISTORY	jesxMON.DISPLAY.HISTORY	READ
$JD JES	jesxMON.DISPLAY.JES	READ
$JD MONITOR	jesxMON.DISPLAY.MONITOR	READ
$JD STATUS	jesxMON.DISPLAY.STATUS	READ
$J STOP	jesxMON.STOP.MONITOR	CONTROL
$L J	jesx.DISPLAY.BATOUT	READ
$L JOBQ	jesx.DISPLAY.JSTOUT	READ
$L S	jesx.DISPLAY.STCOUT	READ
$L T	jesx.DISPLAY.TSUOUT	READ
$M	jesx.MSEND.CMD	READ
$M SPL	jesx.MIGRATE.FUNCTION	CONTROL
$N	jesx.NSEND.CMD	READ
$N device	jesx.REPEAT.DEV	UPDATE
$O J	jesx.RELEASE.BATOUT	UPDATE
$O JOBQ	jesx.RELEASE.JSTOUT	UPDATE
$O S	jesx.RELEASE.STCOUT	UPDATE
$O T	jesx.RELEASE.TSUOUT	UPDATE
$P	jesx.STOP.SYS	CONTROL
$P G	jesx.STOP.GROUP	UPDATE
$P I	jesx.STOP.INITIATOR	CONTROL
$P JES2	jesx.STOP.SYS	CONTROL
$P JOBQ	jesx.STOP.JST	UPDATE
$P LINE(x)	jesx.STOP.LINE	CONTROL
$P LOGON(x)	jesx.STOP.LOGON	CONTROL
$P NETSRV	jesx.STOP.NETSRV	CONTROL
$P O G	jesx.STOP.GROUPOUT	UPDATE
$P O J	jesx.STOP.BATOUT	UPDATE
$P O JOBQ	jesx.STOP.JSTOUT	UPDATE
$P O S	jesx.STOP.STCOUT	UPDATE
$P O T	jesx.STOP.TSUOUT	UPDATE
$P OFFn.JR	jesx.STOP.DEV	UPDATE
$P OFFn.JT	jesx.STOP.DEV	UPDATE
$P OFFn.SR	jesx.STOP.DEV	UPDATE
$P OFFn.ST	jesx.STOP.DEV	UPDATE
$P OFFLOADn	jesx.STOP.DEV	UPDATE
$P RMT(x)	jesx.STOP.RMT	CONTROL
$P S	jesx.STOP.STC	UPDATE
$P SPOOL	jesx.STOP.SPOOL	CONTROL
$P SRVCLASS	jesx.STOP.SRVCLASS	CONTROL
$P T	jesx.STOP.TSU	UPDATE
$P TRACE(x)	jesx.STOP.TRACE	CONTROL
$P XEQ	jesx.STOP.SYS	CONTROL
$P device	jesx.STOP.DEV	UPDATE
$PO JOBQ	jesx.STOP.JSTOUT	UPDATE
$PO JOB	jesx.STOP.BATOUT	UPDATE
$PO STC	jesx.STOP.STCOUT	UPDATE
$PO TSU	jesx.STOP.TSUOUT	UPDATE
$R ALL	jesx.ROUTE.JOBOUT	UPDATE
$R PRT	jesx.ROUTE.JOBOUT	UPDATE
$R PUN	jesx.ROUTE.JOBOUT	UPDATE
$R XEQ	jesx.ROUTE.JOBOUT	UPDATE
$S	jesx.START.SYS	CONTROL
$S A	jesx.START.AUTOCMD	CONTROL
$S EDS	jesx.START.SYS	CONTROL
$S I	jesx.START.INITIATOR	CONTROL
$S J	jesx.START.BAT	UPDATE
$S LINE(x)	jesx.START.LINE	CONTROL
$S LOGON(x)	jesx.START.LOGON	CONTROL
$S N	jesx.START.NET	CONTROL
$S OFFn.JR	jesx.START.DEV	UPDATE
$S OFFn.JT	jesx.START.DEV	UPDATE
$S OFFn.SR	jesx.START.DEV	UPDATE
$S OFFn.ST	jesx.START.DEV	UPDATE
$S OFFLOADn	jesx.START.DEV	UPDATE
$S RMT(x)	jesx.START.RMT	CONTROL
$S SPOOL	jesx.START.SPOOL	CONTROL
$S SRVCLASS	jesx.START.SRVCLASS	CONTROL
$S TRACE(x)	jesx.START.TRACE	CONTROL
$S XEQ	jesx.START.SYS	CONTROL
$S device	jesx.START.DEV	UPDATE
$T A(CREATE)	jesx.MODIFY.AUTOCMD	READ
$T A(OWNER)	jesx.MODIFY.AUTOCMD	READ
$T A(NOT OWNER)	jesx.MODIFY.AUTOCMD	CONTROL
$T APPL	jesx.MODIFY.APPL	CONTROL
$T BUFDEF	jesx.MODIFY.BUFDEF	CONTROL
$T CKPTDEF	jesx.MODIFY.CKPTDEF	CONTROL
$T CONDEF	jesx.MODIFY.CONDEF	CONTROL
$T CONNECT	jesx.MODIFY.CONNECT	CONTROL
$T DEBUG	jesx.MODIFY.DEBUG	CONTROL
$T DESTDEF	jesx.MODIFY.DESTDEF	CONTROL
$T DEStid	jesx.MODIFY.DESTID	CONTROL
$T ESTBYTE	jesx.MODIFY.ESTBYTE	CONTROL
$T ESTIME	jesx.MODIFY.ESTIME	CONTROL
$T ESTLNCT	jesx.MODIFY.ESTLNCT	CONTROL
$T ESTPAGE	jesx.MODIFY.ESTPAGE	CONTROL
$T ESTPUN	jesx.MODIFY.ESTPUN	CONTROL
$T EXIT	jesx.MODIFY.EXIT	CONTROL
$T FSS	jesx.MODIFY.FSS	CONTROL
$T G	jesx.MODIFY.GROUP	UPDATE
$T GRPDEF	jesx.MODIFY.GROUPDEF	CONTROL
$T I	jesx.MODIFY.INITIATOR	CONTROL
$T INPUTDEF	jesx.MODIFY.INPUTDEF	CONTROL
$T INTRDR	jesx.MODIFY.INTRDR	CONTROL
$T J	jesx.MODIFY.BAT	UPDATE
$T JECLDEF	jesx.MODIFY.JECLDEF	CONTROL
$T JOBCLASS	jesx.MODIFY.JOBCLASS	CONTROL
$T JOBDEF	jesx.MODIFY.JOBDEF	CONTROL
$T JOBPRTY	jesx.MODIFY.JOBPRTY	CONTROL
$T JOBQ	jesx.MODIFY.JST	UPDATE
$T LIMITS	jesx.MODIFY.LIMITS	CONTROL
$T LINE	jesx.MODIFY.LINE	CONTROL
$T LOADMOD	jesx.MODIFY.LOADMOD	CONTROL
$T LOGON	jesx.MODIFY.LOGON	CONTROL
$T MASDEF	jesx.MODIFY.MASDEF	CONTROL
$T MEMBER(x)	jesx.MODIFY.SYS	CONTROL
$T NETSRV	jesx.MODIFY.NETSRV	CONTROL
$T NODE	jesx.MODIFY.NODE	CONTROL
$T NJEDEF	jesx.MODIFY.NJEDEF	CONTROL
$T NUM	jesx.MODIFY.NUM	CONTROL
$T O G	jesx.MODIFY.GROUPOUT	UPDATE
$T O J	jesx.MODIFY.BATOUT	UPDATE
$T O JOBQ	jesx.MODIFY.JSTOUT	UPDATE
$T O S	jesx.MODIFY.STCOUT	UPDATE
$T O T	jesx.MODIFY.TSUOUT	UPDATE
$T OFFx.yy	jesx.MODIFY.OFF	CONTROL
$T OFFLOADx	jesx.MODIFY.OFFLOAD	CONTROL
$T OUTCLASS	jesx.MODIFY.OUTCLASS	CONTROL
$T OUTDEF	jesx.MODIFY.OUTDEF	CONTROL
$T OUTPRTY	jesx.MODIFY.OUTPRTY	CONTROL
$T PCE	jesx.MODIFY.PCE	CONTROL
$T PRINTDEF	jesx.MODIFY.PRINTDEF	CONTROL
$T PROCLIB	jesx.MODIFY.PROCLIB	CONTROL
$T RECVopts	jesx.MODIFY.RECVOPTS	CONTROL
$T REDIRect	jesx.MODIFY.REDIRECT	CONTROL
$T RMT	jesx.MODIFY.RMT	CONTROL
$T S	jesx.MODIFY.STC	UPDATE
$T SMFDEF	jesx.MODIFY.SMFDEF	CONTROL
$T SOCKET	jesx.MODIFY.SOCKET	CONTROL
$T SPOOLDEF	jesx.MODIFY.SPOOLDEF	CONTROL
$T SPOOL	jesx.MODIFY.SPOOL	CONTROL
$T SRVCLASS	jesx.MODIFY.SRVCLASS	CONTROL
$T SSI	jesx.MODIFY.SSI	CONTROL
$T STCCLASS	jesx.MODIFY.STCCLASS	CONTROL
$T TPDEF	jesx.MODIFY.TPDEF	CONTROL
$T TRACEDEF	jesx.MODIFY.TRACEDEF	CONTROL
$T T	jesx.MODIFY.TSU	UPDATE
$T device	jesx.MODIFY.DEV	UPDATE
$T initstmt	jesx.MODIFY.initstmt	CONTROL
$T TSUCLASS	jesx.MODIFY.TSUCLASS	CONTROL
$VS*	jesx.VS	CONTROL
$Z A	jesx.HALT.AUTOCMD	CONTROL
$Z I	jesx.HALT.INITIATOR	CONTROL
$Z OFFLOADn	jesx.HALT.DEV	UPDATE
$Z SPOOL	jesx.HALT.SPOOL	CONTROL
$Z device	jesx.HALT.DEV	UPDATE
$ZAPJOB	jesx.ZAP.JOB	CONTROL