Customizing the FTP-to-JES interface for JESINTERFACELevel 2 (optional)

Start of changeIf JESINTERFACELEVEL is set or defaulted to 1 End of change, the FTP user is allowed to submit jobs to JES, retrieve held output matching their logged-in user ID plus one character, and delete held jobs matching their logged-in user ID plus one character.

If JESINTERFACELevel is set to 2, FTP users have the ability to retrieve and delete any job in the system permitted by the System Authorization Facility (SAF) resource class JESSPOOL. For that reason, JESINTERFACELevel=2 should be specified only if the appropriate JES and SDSF security measures are in place to protect access to JES output. The SAF controls used for JESINTERFACELevel=2 are essentially a subset of those used by SDSF. Therefore, if an installation has customized SAF facilities for SDSF, they are configured for FTP JES level 2.

Note: You are not required to have SDSF to use JESINTERFACELEVEL 2. If you do not use SDSF, you still need to create SAF profiles. Both SDSF and JESINTERACELEVEL 2 use the same SAF profile names.

Before customizing the FTP-to-JES interface, complete JES customization. For example, JESJOBS is an SAF class that controls which users can submit jobs to JES. JESSPOOL is the SAF class that controls which users can access output jobs. Customize these SAF classes before beginning customization of the FTP-to-JES interface.

JESSPOOL defines resource names as <nodeid>.<userid>.<jobname>.<Dsid>.<dsname>. An FTP user can delete an output job if they have UPDATE access to the resource that matches their nodeid, userid, and job name. If the FTP user has READ access to the resource, they can list, retrieve, or GET the job output. For more information on JES security, see z/OS JES2 Initialization and Tuning Guide. For more information on the SAPI interface, see z/OS MVS Using the Subsystem Interface.

There are three filters used by the FTP server to control the display of jobs:

  • JESSTATUS
  • JESOWNER
  • JESJOBNAME

Start of changeSAF resources in the SDSF class are employed for this.End of change

JESSTATUS can be changed by an FTP user with the SITE command to filter jobs in INPUT, ACTIVE, or OUTPUT state. The Start of changeSAFEnd of change resources checked for these states are ISFCMD.DSP.INPUT.jesx, ISFCMD.DSP.ACTIVE.jesx, and ISFCMD.DSP.OUTPUT.jesx, respectively. The default value is set to ALL if READ access is allowed to all three classes. Otherwise it attempts to set Start of changethe default valueEnd of change to OUTPUT, ACTIVE, and then INPUT if the appropriate READ access is allowed. If no READ access is allowed to any of the classes, JESSTATUS is set to OUTPUT but JESOWNER and JESJOBNAME cannot be changed from the default. In this way, SAF controls can be put in place to limit FTP users to whatever status of jobs an installation requires.

Start of changeBy defaultEnd of change, JESOWNER has the value of the logged-in user ID. Authority to change JESOWNER is obtained through READ access to Start of changeSAF resourceEnd of change ISFCMD.FILTER.OWNER. An FTP user who has READ access to ISFCMD.FILTER.OWNER will be allowed to change the JESOWNER parameter with the SITE command.

Start of changeBy defaultEnd of change, JESJOBNAME has the value of the logged-in user ID plus an asterisk (*). Authority to change JESJOBNAME is obtained through READ access to Start of changeSAF resourceEnd of change ISFCMD.FILTER.PREFIX. An FTP user who has READ access to ISFCMD.FILTER.PREFIX will be allowed to change the JESJOBNAME parameter with the SITE command.

For example, to allow all users except USER1 to be allowed to change JESOWNER enter the following commands: 
SETROPTS CLASSACT(SDSF) REFRESH                                
RDEFINE SDSF (ISFCMD.FILTER.OWNER) UACC(READ)                  
PERMIT ISFCMD.FILTER.OWNER ACCESS(NONE) CLASS(SDSF) ID(USER1)  
SETROPTS CLASSACT(SDSF) REFRESH

For more information on SDSF security, see z/OS SDSF Operation and Customization.