Security

JES does not perform any SAF call during allocation. When the SPOOL data is opened, JES uses SAF to verify read access to a JESSPOOL resource associated with the data set. SPOOL browse uses both the standard form of the JESSPOOL class resources and modified forms for special system data sets. Any generic characters that may have been specified at allocation are replaced by the actual values for the data set allocated.

When a logical data set name was specified for DALDSNAM, then the format of the resource name passed to SAF is:

localnodeid.userid.jobname.jobid.jes_dsname

In the resource name:

localnodeid

The NJE node name of the node on which the SYSIN or SYSOUT data set currently resides. The localnodeid appears in the JES job log of every job.

userid

The userid associated with the job. This is the userid RACF® used for validation when the job runs.

jobname

The name that appears in the name field of the JOB statement.

jobid

The job number JES assigned to the job. The jobid appears in notification messages and the JES job log of every job.

jes_dsname

One of the following fixed names:

JCL - This represents the jobs input JCL (with all SYSIN data sets)
JESJCL - The JCL images data set as created by the conversion process
JESMSGLG - The JES2 job log data set
JESYSMSG - The MVS™ SYSTEM messages data set

When a SYSLOG data set is allocated, the format of the resource name passed to SAF is:

localnodeid.userid.SYSLOG.SYSTEM.sysname

In the resource name:

localnodeid: The NJE node name of the node on which the SYSLOG data set resides. The localnodeid appears in the JES2 job log of every job
userid: The user ID provided by the security product. If RACF is used, the user ID will be +MASTER+.
sysname: The MVS system name of the system that created the SYSLOG.

If the browse token specifies a recvr userid, the SAF call is performed with the RECVR parameter. When the recvr userid is specified, the logstr parameter should also be supplied.

If the data set fails the security check, the open request fails with R15=0C and an error code stored in ACBERFLG (decimal 152).

The system performs a SAF call as part of OPEN processing to ensure that the user is authorized to the data set. In JES2, if the user is not authorized, a system abend, code S913, results. In JES3, although control is returned to the application, the DCBOFOPN bit is not set and the application cannot read the data set. After the DCB has been opened, use a GET macro pointing to the DCB to read the file. When processing is complete, use a CLOSE macro to close the file. The same task that opened the DCB must be used to close it.