Note: By
denying a user sufficient access to a SUBMIT profile, you can prevent
that user from submitting jobs protected by the profile
even if
that user knows the password or is an authorized surrogate user.
For
example, the following profile would prevent jobs from being submitted
with USER01 as the user ID:
RDEFINE JESJOBS SUBMIT.*.*.USER01 UACC(NONE)
You
can also provide conditional access to the job name, depending on
the class and ID of the port of entry (POE) associated with the submitter
of the job. The class name you would use is determined by what the
submitter is. For a regular submission from a TSO logon session, the
submitter's POE is a terminal ID and the class name is TERMINAL. The
submitter's POE can also be a JESINPUT device when the submitter of
the job is another job.
Making use of the job name conditional
on the JESINPUT device is not recommended because this is very much
dependent on what type of job was submitted. If the submitting job
is a local job, its JESINPUT POE would be an internal reader, a local
card reader, or an RJE reader.
However, if the submitting job
is an NJE job (for example, from another JES node), its JESINPUT POE
would be the node name. This uncertainty can make the use of WHEN(JESINPUT)
for the JESJOBS class difficult. Therefore, you should be careful
if you decide to use it.
For example, you can allow a user to
submit a job only from a certain terminal ID by specifying the WHEN(TERMINAL)
operand on the PERMIT command as follows:
PERMIT SUBMIT.*.PAYROLL*.* CLASS(JESJOBS) ID(USER01)
ACCESS(READ) WHEN(TERMINAL(terminal-ID))
where terminal-ID is
the terminal to which the submitter is logged on.