You can use RACF® to limit
which sources of input are valid for job submission,
including RJP workstations, device readers, nodes, and internal readers.
For example, you might want to prevent certain users from entering
jobs from a particular RJP workstation.
To authorize the submission of work from specific input sources,
perform the following steps:
- Ask your JES system programmer for the following information:
- The name of the device. This is described in the topic on authorizing
the use of input sources in z/OS JES2 Initialization and Tuning Guide.
- The user ID or group name of the users you want to authorize or
restrict.
- The universal access authority to associate with each device. Valid
access authorities for input devices are:
- NONE
- Specifies that the input device can be used only by those users
explicitly permitted through the access list.
- READ
- Specifies the minimum authority required to use the input source.
- Define a profile for each input source, as follows:
RDEFINE JESINPUT source-name UACC(NONE)
- It is strongly recommended that you create a profile with
a UACC of READ for all JES input sources that are otherwise not defined:
RDEFINE JESINPUT ** UACC(READ)
This
example assumes that a SETROPTS GENERIC(JESINPUT) was previously issued
to turn generics on for this class and that a SETROPTS REFRESH was
then done.
If you do not, users can access only JES input sources
to which they (or their groups) are explicitly authorized.
- For each protected input source, grant access to the users or
groups who need to use it:
PERMIT source-name CLASS(JESINPUT) ID(user-or-group) ACCESS(READ)
- When you are ready to start using the protection provided by the
profiles you have created, activate the JESINPUT class:
SETROPTS CLASSACT(JESINPUT) REFRESH
If
you activate this class and create no profiles for it, users cannot
submit batch jobs.
z/OS Security Server RACF Security Administrator's Guide
Copyright IBM Corporation 1990, 2014