Programming considerations

Use care when changing or restricting the functions that build, obtain, or extract information for tokens because you could cause later SAF calls to fail.
If you need a finer level of control you will have to build more specific entity names in this exit. For example, if you want only certain operators to change the routing of a printer:
- Define a more specific profile to RACF®. For example, if you wanted to keep operators from changing the routing of jobs on JESC, you would define a profile named:
```
    JESC.MODIFY.JOBOUT.ROUTE
```
  with only the operators you want to issue the command on the list of userids authorized to the command.
- Intercept the command authorization call in Exit 36.
- In Exit 36, scan the command and build the required profile name. The address of the command and the profile JES2 is requesting authorization for is in the $WAVE.
- Replace the entity name (profile name) pointed to by the $WAVE with the more specific entity name.
- If you code Exit 36 or Exit 37, you can pass a RACF request type to the exit. JES2 can request a branch entry extract to extract information from SECLABEL profiles (WAVREQST field set to WAVRXTRB). In addition, JES2 also uses the RACF extract (non-branch entry) to extract SECLABELs from various other profiles (WAVREQST field set to WAVRXTRT). New function codes (38 and 39) are defined for all these requests; see Table 1 .
Locating Extensions to the JCT Control Block: You can use the $JCTXGET macro to locate extensions to the job control table ($JCT) control block from this exit.
If you need to pass information from JES2 to the security subsystem, move the JCT pointer from the $SAFINFO parameter list (SFIJCT) to the SAF parameter list (ICHSAFP) in field SAFPUSRW to access the SAF router exit.
If you include code (such as a branch table) based on the security function codes presented in Table 1 be certain you also see the source of these function codes contained in macro $HASPEQU for their current and complete listing.

Table 1. Security Function Codes
Function Code
Decimal Value	Symbolic Name	Meaning	Related Control Block*	Job Masking
0	$SEANJES	Reserved for user code		No
1	$SEAINIT	Initialize security environment	SFI	Yes
2	$SEAVERC	Security environment create	JCT	Yes
3	$SEAVERD	Security environment delete	JCT	Yes
4	$SEAXTRT	Extract security information for this environment	SJB	**
5	$SEASIC	SYSIN data set create	IOT	Yes
6	$SEASOC	SYSOUT data set create	IOT	Yes
7	$SEASIP	SYSIN data set open	SDB	Yes
8	$SEASOP	SYSOUT data set open	SDB	Yes
9	$SEAPSO	Process SYSOUT data set open	SDB	Yes
10	$SEAPSS	Process SYSOUT data set select	PSO	No
11	$SEATCAN	TSO/E cancel	JCT	No
12	$SEACMD	Command authorization	None	No
13	$SEAPRT	Printer data set select	PDDB	Yes
14	$SEADEL	Data set purge	IOT	**
15	$SEANUSE	Notify user token extract	None	No
16	$SEATBLD	Token build	SFI	Yes
17	$SEARJES	RJE signon, NJE source for command authorization	SWEL	No
18	$SEADEVA	Device authorization	PCE	**
19	$SEANJEA	NJE SYSOUT data set create	SFI	Yes
20	$SEAREXT	Re-verify token extract	JCT	Yes
21	---	Reserved	None
22	$SEANEWS	Update of JESNEWS	SJB	No
23	$SEANWBL	Build JESNEWS token	IOT	No
24	$SEAVERS	Subtask to create access control environment element (ACEE) for general subtasks	None	No
25	$SEAAUD	Audit for job in error	None	No
26	$SEADCHK	Authorization for $DESTCHK	DCW	No
27	$SEATSOC	SYSOUT data set create for trace	IOT	No
28	$SEASSOC	SYSOUT data set create for system job data sets (for example, JOBLOG)	SFI	Yes
29	$SEANSOC	SYSOUT data set create for JESNEWS	IOT	Yes
30	$SEASOX	Transmit or offload of SYSOUT	PCE	Yes
31	$SEANJEV	VERIFYX for receive or reload of SYSOUT	SFI	Yes
32	$SEAJOX	Transmit or offload of job	PCE	Yes
33	---	Reserved	None
34	$SEASPBO	Spool browse data set open	SDB	Yes
35	$SEASFS	Scheduler service, TOKNXTR	SSW	No
36	$SEASSWM	SWM modify ALTER AUTH	None	No
37	$SEASAPI	SYSOUT application programming interface	None	No
38	$SEASCLA	SECLABEL affinity extract	JQE	No
39	$SEASCLE	DCT SECLABEL extract	DCT or NIT	No
40	$SEANSON	Secure NJE signon SAF profiles for secure NJE signon	None	No
41	$SEADIRA	SECLABEL dominance	None	No
42	$SEASPLR	SPOOL I/O AUTH check	None	No
43-255	---	Not currently in use	Not in use

Note:

* Your exit routine should always check for the presence of the control block before using fields in the control block. Currently, the control block is not present when the $SEAXTRT function occurs during an open of TSU or STC internal readers.
** Job exit mask suppression not in effect during selected processing.