On Wed, Jan 7, 2015 at 10:15 AM, Tim Hare <[email protected]> wrote:
> Two topics on job submission > > 1: the JES SMF records (I think type 26) include a submitter ID but > _not_ the name of the submitting address space. I've created a SHARE > request to add that information.. please, if you are a SHARE member read > the proposed requirement and vote on it. > In our case, we designed our job scheduler to run as an STC which is assigned a RACF id which is the same as the STC name. That is, we use CA-7 which is the CA7 started task, running with the CA7 RACF id. Nothing else runs with this id. Note that we set up our scheduler, CA-7, to submit jobs using the proper RACF identity. That is, they do NOT run with the same RACF id as the CA7 started task. Each job is defined in the CA-7 database to have the appropriate RACF id, which has the proper RACF authority, under which it is to run. This is controlled using the RACF SURROGAT profiles so that CA-7 can submit jobs for those other RACF ids. There are also profiles in the CA-7 specific class of SU@MIT which control who (person) can assign specific RACF ids to jobs in the data base. This is done because we run RACF jobs in CA-7 which run with a SPECIAL id. But only RACF administrators, not production control, can assign that id to a job in CA-7 due to the profile in SU@MIT . Now having explained that, with respect to job classes, I think that the job class profile, like any other, is checked against the "owner" of the job (RACF id in the CA-7 data base) and not the "submittor" (CA7) of the job. That is, the job class would need to be PERMIT'd to the RACF id under which the job runs, not to the RACF id of the job scheduler itself (unless, of course, they are the same RACF id). > > 2: I believe in recent JES2 incarnations that internal reader use happens > in the address space of the "submitter". I am trying to find a method to > restrict a certain job class to only being used by the production job > scheduler. > 2A: Does a SAF profile exist to protect job class? > This is now available in z/OS 2.1. http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/ControllingJobClassUsage.htm > 2B: If not, is it better to use IEFUJV or a JES exit to restrict this use? > > Note that either WHEN(PROGRAM()) or some method of determining the job > name of the submitter from within the exit has to be used, because of > userid propagation - if the scheduler submits a job that then writes to the > internal reader, the scheduler-supplied ID is propagated. I am not sure > whether PROPCNTL can be used to restrict that propagation without ill > effect (but will experiment on a test partition). > -- While a transcendent vocabulary is laudable, one must be eternally careful so that the calculated objective of communication does not become ensconced in obscurity. In other words, eschew obfuscation. 111,111,111 x 111,111,111 = 12,345,678,987,654,321 Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
