Note that one of the “value add” functions of SDSF is that it can check for ALTER access to the JESSPOOL profile for the owner and jobname for destructive actions like “C” and “P”.
Does not stop them using freeform “slash” to issue the raw operator command, but removes the convenience of the action character. Rob Scott Rocket Software From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Roger W Suhr Sent: 07 February 2023 14:22 To: [email protected] Subject: Re: RACF - SDSF question EXTERNAL EMAIL Hi Ms. Terri, The OPERCMDS JES2.CANCEL.** profiles protect the JES2 ($C...) cancel command. I believe you also need to use the OPERCMDS MVS.CANCEL.STC.mbrname.id profile to protect the MVS CANCEL command. So in your case, that would be something like this: (if your running CICS as an STC!) MVS.CANCEL.STC.C30TCI* (G) MVS.CANCEL.STC.** (G) Roger W. Suhr [email protected]<mailto:[email protected]> -----Original Message----- From: IBM Mainframe Discussion List <[email protected]<mailto:[email protected]>> On Behalf Of Shaffer, Terri Sent: Tuesday, February 7, 2023 8:32 To: [email protected]<mailto:[email protected]> Subject: RACF - SDSF question Hi, I know there is a RACF group, but hopefully this is simple and I am just missing something I have done 100 times over with no issues. We run our CICS regions as batch jobs, and I just found out a user instead of them issuing a CEMT PERF SHUT command, they are canceling it. Which then causing a 100 vsam messages on startup with all the verifies, and if something goes wrong they call me... So I tried to stop this habit, I know they are putting a C beside the CICS and a $CJ(xxxxx) command So I have 2 rules in RACF under OPERCMDS JES2.CANCEL.BAT.C30TCI* (G) JES2.CANCEL.BAT.** (G) If I restrict the BAT.** then they cant cancel even their own batch jobs, So I always thought more specific is looked at first? One of my previous co-workers implemented SDSF-RACF rules converted from ISFPARMS. Lastly, I understand this doesn’t stop them from canceling any other jobs, but since this is a development shop we allow more access than most. But I don’t want users canceling a CICS or DB2 etc. Any ideas how they are getting the access and not stopped with the more specific rule?? Ms Terri E Shaffer Senior Systems Engineer, z/OS Support: ACIWorldwide – Telecommuter H(412-766-2697) C(412-519-2592) [email protected]<mailto:[email protected]> ________________________________ [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg<https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg>] <http://www.aciworldwide.com<http://www.aciworldwide.com>> This email message and any attachments may contain confidential, proprietary or non-public information. The information is intended solely for the designated recipient(s). If an addressing or transmission error has misdirected this email, please notify the sender immediately and destroy this email. Any review, dissemination, use or reliance upon this information by unintended recipients is prohibited. Any opinions expressed in this email are those of the author personally. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected]<mailto:[email protected]> with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected]<mailto:[email protected]> with the message: INFO IBM-MAIN ================================ Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy ================================ This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
