z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Controlling who can modify job attributes using the Job Modify SSI 85

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

The Job Modify SSI 85 can be used to modify a variety of job attributes. Resources in the JESJOBS class control who can use the functions of the Job Modify SSI 85. Table 1 shows the format of these resources.

Table 1. Resource names in the JESJOBS class for the Job Modify SSI
SSI action JESJOBS resource Access required
Cancel CANCEL.nodename.userid.jobname ALTER
Hold HOLD.nodename.userid.jobname UPDATE
Modify MODIFY.nodename.userid.jobname UPDATE
Purge PURGE.nodename.userid.jobname ALTER
Release RELEASE.nodename.userid.jobname UPDATE
Reroute execution REROUTE.nodename.userid.jobname UPDATE
Restart RESTART.nodename.userid.jobname CONTROL
Spin SPIN.nodename.userid.jobname CONTROL
Start START.nodename.userid.jobname CONTROL
To control who can modify job attributes using the Job Modify SSI, perform the following steps:
  1. Ask your TSO system programmer to change TSO installation exit IKJEFF53 to a dummy exit. For information, see z/OS TSO/E Customization.
  2. Define profiles for the job names that you want to protect. For example:
    RDEFINE JESJOBS MODIFY.nodename.userid.jobname UACC(NONE)
  3. Give users the appropriate access authority. For example:
    PERMIT MODIFY.*.*.PAYROLL* CLASS(JESJOBS) ID(PAYGROUP) ACCESS(UPDATE)
  4. If the JESJOBS class is not already active, activate it:
    SETROPTS CLASSACT(JESJOBS)
Note: Be sure that you do not have JESJOBS profiles that specify generic job names or user IDs, and that provide access higher than Read. If you created such profiles on a system earlier than z/OS® V2R1, the profiles only affected the ability of users to cancel or submit jobs. But on a z/OS V2R1 system, those profiles might have the unintended effect of allowing users to use the Job Modify SSI functions to modify the attributes of a job.
To avoid this unplanned access, look for JESJOBS profiles that match the resource names listed in Table 1. You can use the SEARCH command to list all of the profiles in the JESJOBS class:
SEARCH CLASS(JESJOBS)
If you find any profiles that match the resource names listed in Table 1, use the RLIST command to list information about each of the profiles found, and ensure that the UACC, access list, and audit options are appropriate.
RLIST JESJOBS profile_name
Parent topic: Controlling the use of job names

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014