You can use RACF® to provide
access to data sets that
reside on spool, including spool files that JES appends to job output,
such as JESNEWS. Using RACF allows
users other than the owner of a data set to read, copy, print, or
delete sensitive job data.
To enable RACF protection
of spool data sets, activate
the JESSPOOL class:
SETROPTS CLASSACT(JESSPOOL)
SETROPTS GENERIC(JESSPOOL)
Profiles are not required in the JESSPOOL class for protection
to be in effect because the default for the class is failure when
no profiles exist. IBM® recommends
that you activate the generics for the JESSPOOL class because the
profile names are system generated.
Note: - When the JESSPOOL class is active, RACF ensures
that only authorized users obtain access to job data sets on spool.
Authorization to job data sets is provided through RACF user profiles. If there is no profile for
a data set, only the user that created the data set can access, modify,
or delete it.
- While a job is executing, RACF optionally
audits actions against SYSIN and SYSOUT data sets. For SYSIN data
sets, JES invokes RACF each
time a SYSIN data set is allocated, opened, or deleted. For SYSOUT
data sets, JES invokes RACF each
time a SYSOUT data set is created, opened, deleted, or selected for
output.
- For output selection, a data set can be selected by a TSO user
through the TSO OUTPUT command. A profile must exist to enable users
other than the creator to access data sets using the TSO OUTPUT command.
- External writers, which are usually started tasks that
process output to special devices (such as microfiche), require at
least ALTER access to the spool data sets they process. If your installation
has external writers, and you activate the JESSPOOL class, you must
either ensure that the external writers have ALTER access to appropriate
JESSPOOL profiles, or define the external writers as a started procedure
with the trusted attribute. You can define them either in the STARTED
class or in the RACF started
procedures table (ICHRIN03). Otherwise, the external writers cannot
process output. Because external writers are installation-written
programs, you are strongly recommended to avoid giving them the trusted
attribute.
- If SDSF is installed on your system, JESSPOOL profiles control
which action characters and overtypeable fields users can enter on
SDSF panels. For complete information on creating JESSPOOL profiles
for use with SDSF, see z/OS SDSF Operation and Customization.
- SYSOUT application program interface (SAPI) applications, which
are usually started tasks that process output to special devices (like
microfiche), require at least UPDATE access to the spool data sets
they process. If your installation has SAPI applications, and you
activate the JESSPOOL class, you must either ensure that the SAPI
applications have UPDATE access to appropriate JESSPOOL profiles,
or define the applications as a started procedure with the trusted
attribute. You can define them either in the STARTED class or in the RACF started procedures table.
Otherwise, the SAPI applications cannot process output.