As near as I can tell, the system as delivered uses the OPER resource of the TSOAUTH class only to control access to the OPERATOR command. If you want to control the ability to issue JES commands from batch without an exit, you will need to update the access list for other classes and profiles. You could duplicate the access list for TSOAUTH(OPER) for each of the profiles controlling the commands in question but it might be easier to follow Lizette's suggestion and control access to a specific set of job classes and use the JES2 JOBCLASS initialization statements to allow only those classes to issue commands. Depending on how carefully you want to control which commands are issued, you might need to play with the OPERCMDS class also.
The JESJOBS resource class can be used to control the ability to submit jobs with names that do not match the userid plus a character. Other exits, such as IKJEFF53 may also be affected by these actions. > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Robert Hahne > Sent: Wednesday, May 06, 2020 1:35 PM > To: [email protected] > Subject: TSO/E SUBMIT exit > > Hello listers , > > I understand this is a RACF question . But thought someone can help me here > . We > have a requirement where TSO submit exit IKJEFF10 needs to be eliminated . > Currently it is written to ensure only those users with TSOAUTH(OPER) are > allowed > to submit jobs with any name . Rest of the users are only allowed to submit > jobs that > begins with their USERID . > > Also , the users are not allowed to issue JES commands in batch unless they > have > TSOAUTH(OPER) . Can we get both of these requirements done using RACF profiles > ? > > Any pointers are highly appreciated > > Regards, > Robert ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
