We have controlled use of sysout classes for decades using JES2 exits and SAF. What we have is way too complicated to share, but I can attest that it's possible depending on how much work you want to do. If you have a working Exit 6 that scans allocation units, you're most of the way there. BTW we do *not* have IEFDB401 for dynamic allocation, so this is a batch solution.
. . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of John McKown Sent: Tuesday, March 3, 2020 9:13 AM To: [email protected] Subject: (External):Re: JES2 - stopping users from sending output to specific outputclass CAUTION EXTERNAL EMAIL On Mon, Mar 2, 2020 at 4:13 PM Keith Costley <[email protected]> wrote: > We are having an issue with users using a restricted output class > based on standards. We are looking for a way to prevent this from happening by > canceling the job if the JCL contains SYSOUT=X. We are an ACF2 shop but I > am unaware if ACF2 security can limit this through a security definition. > The other option is a possible exit. > > Has anyone done this in the past and has a suggestion on the best > approach? > > Thanks, > Keith Costley > > I am replying to the original message even though many has already replied. If it were me, I'd use JES2 exit 6 (internal text) because the internal text has expanded all PROCs and INCLUDEs as well as being well structured. I.e. I don't need to write a JCL parser. I would also probably use either XFACILIT as the class, or maybe even implement my own class via dynamic CDT. The profile name might be something like: SYSOUT.CLASS.<class> with READ or better meaning "OK" and with a default RC of 0. This can be done by having a SYSOUT.CLASS.** with an access of ID(*) ACCESS(READ) or if you make your own CDT, have the default RC for the class be 0. As another pointed out, you might also want to use the IEFDB401 exit to control dynamic allocation, if the security requirements are that tight. JES2 Ref: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hasc100/has2r9_Exit_6__JES2_converter_exit__subtask_.htm Dynalloc Ref: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.ieae400/ieae40033.htm RACF CDT Ref: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.icha700/cdtchap.htm ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
