Keith, I use JES2 EXIT 6 for this.
One item is to change sysout psuedo dataset names by replacing "?" for "DDNAME" - enables "proper" RACF control of SYSOUT classes. Regards Bruce On Tue, 3 Mar 2020 11:13:16 -0600, John McKown <[email protected]> wrote: >On Mon, Mar 2, 2020 at 4:13 PM Keith Costley <[email protected]> >wrote: > >> We are having an issue with users using a restricted output class based on >> standards. We are looking for a way to prevent this from happening by >> canceling the job if the JCL contains SYSOUT=X. We are an ACF2 shop but I >> am unaware if ACF2 security can limit this through a security definition. >> The other option is a possible exit. >> >> Has anyone done this in the past and has a suggestion on the best >> approach? >> >> Thanks, >> Keith Costley >> >> >I am replying to the original message even though many has already replied. >If it were me, I'd use JES2 exit 6 (internal text) because the internal >text has expanded all PROCs and INCLUDEs as well as being well structured. >I.e. I don't need to write a JCL parser. I would also probably use either >XFACILIT as the class, or maybe even implement my own class via dynamic >CDT. The profile name might be something like: SYSOUT.CLASS.<class> with >READ or better meaning "OK" and with a default RC of 0. This can be done by >having a SYSOUT.CLASS.** with an access of ID(*) ACCESS(READ) or if you >make your own CDT, have the default RC for the class be 0. > >As another pointed out, you might also want to use the IEFDB401 exit to >control dynamic allocation, if the security requirements are that tight. > > >JES2 Ref: >https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hasc100/has2r9_Exit_6__JES2_converter_exit__subtask_.htm >Dynalloc Ref: >https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.ieae400/ieae40033.htm >RACF CDT Ref: >https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.icha700/cdtchap.htm > > >-- >People in sleeping bags are the soft tacos of the bear world. >Maranatha! <>< >John McKown > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
