Controlling who can modify job attributes using the Job Modify SSI 85

The Job Modify SSI 85 can be used to modify a variety of job attributes. Resources in the JESJOBS class control who can use the functions of the Job Modify SSI 85. Table 1 shows the format of these resources.

Table 1. Resource names in the JESJOBS class for the Job Modify SSI
SSI action	JESJOBS resource	Access required
Cancel	CANCEL.`nodename`.`userid`.`jobname`	ALTER
Hold	HOLD.`nodename`.`userid`.`jobname`	UPDATE
Modify	MODIFY.`nodename`.`userid`.`jobname`	UPDATE
Purge	PURGE.`nodename`.`userid`.`jobname`	ALTER
Release	RELEASE.`nodename`.`userid`.`jobname`	UPDATE
Reroute execution	REROUTE.`nodename`.`userid`.`jobname`	UPDATE
Restart	RESTART.`nodename`.`userid`.`jobname`	CONTROL
Spin	SPIN.`nodename`.`userid`.`jobname`	CONTROL
Start	START.`nodename`.`userid`.`jobname`	CONTROL

To control who can modify job attributes using the Job Modify SSI, perform the following steps:

Ask your TSO system programmer to change TSO installation exit IKJEFF53 to a dummy exit. For information, see z/OS TSO/E Customization.
Define profiles for the job names that you want to protect. For example:
```
RDEFINE JESJOBS MODIFY.nodename.userid.jobname UACC(NONE)
```

Give users the appropriate access authority. For example:

PERMIT MODIFY.*.*.PAYROLL* CLASS(JESJOBS) ID(PAYGROUP) ACCESS(UPDATE)

If the JESJOBS class is not already active, activate it:
```
SETROPTS CLASSACT(JESJOBS)
```

Note: Be sure that you do not have JESJOBS profiles that specify generic job names or user IDs, and that provide access higher than Read. If you created such profiles on a system earlier than z/OS® V2R1, the profiles only affected the ability of users to cancel or submit jobs. But on a z/OS V2R1 system, those profiles might have the unintended effect of allowing users to use the Job Modify SSI functions to modify the attributes of a job.

To avoid this unplanned access, look for JESJOBS profiles that match the resource names listed in Table 1. You can use the SEARCH command to list all of the profiles in the JESJOBS class:

SEARCH CLASS(JESJOBS)

If you find any profiles that match the resource names listed in Table 1, use the RLIST command to list information about each of the profiles found, and ensure that the UACC, access list, and audit options are appropriate.

RLIST JESJOBS profile_name