On Mon, Mar 2, 2020 at 4:13 PM Keith Costley <[email protected]> wrote:
> We are having an issue with users using a restricted output class based on > standards. We are looking for a way to prevent this from happening by > canceling the job if the JCL contains SYSOUT=X. We are an ACF2 shop but I > am unaware if ACF2 security can limit this through a security definition. > The other option is a possible exit. > > Has anyone done this in the past and has a suggestion on the best > approach? > > Thanks, > Keith Costley > > I am replying to the original message even though many has already replied. If it were me, I'd use JES2 exit 6 (internal text) because the internal text has expanded all PROCs and INCLUDEs as well as being well structured. I.e. I don't need to write a JCL parser. I would also probably use either XFACILIT as the class, or maybe even implement my own class via dynamic CDT. The profile name might be something like: SYSOUT.CLASS.<class> with READ or better meaning "OK" and with a default RC of 0. This can be done by having a SYSOUT.CLASS.** with an access of ID(*) ACCESS(READ) or if you make your own CDT, have the default RC for the class be 0. As another pointed out, you might also want to use the IEFDB401 exit to control dynamic allocation, if the security requirements are that tight. JES2 Ref: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hasc100/has2r9_Exit_6__JES2_converter_exit__subtask_.htm Dynalloc Ref: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.ieae400/ieae40033.htm RACF CDT Ref: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.icha700/cdtchap.htm -- People in sleeping bags are the soft tacos of the bear world. Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
