On Wed, Jan 7, 2015 at 10:15 AM, Tim Hare haresystemssupp...@comcast.net
wrote:
Two topics on job submission
1: the JES SMF records (I think type 26) include a submitter ID but
_not_ the name of the submitting address space. I've created a SHARE
request to add that information.. please, if you are a SHARE member read
the proposed requirement and vote on it.
In our case, we designed our job scheduler to run as an STC which is
assigned a RACF id which is the same as the STC name. That is, we use CA-7
which is the CA7 started task, running with the CA7 RACF id. Nothing else
runs with this id.
Note that we set up our scheduler, CA-7, to submit jobs using the proper
RACF identity. That is, they do NOT run with the same RACF id as the CA7
started task. Each job is defined in the CA-7 database to have the
appropriate RACF id, which has the proper RACF authority, under which it is
to run. This is controlled using the RACF SURROGAT profiles so that CA-7
can submit jobs for those other RACF ids. There are also profiles in the
CA-7 specific class of SU@MIT which control who (person) can assign
specific RACF ids to jobs in the data base. This is done because we run
RACF jobs in CA-7 which run with a SPECIAL id. But only RACF
administrators, not production control, can assign that id to a job in CA-7
due to the profile in SU@MIT
.
Now having explained that, with respect to job classes, I think that the
job class profile, like any other, is checked against the owner of the
job (RACF id in the CA-7 data base) and not the submittor (CA7) of the
job. That is, the job class would need to be PERMIT'd to the RACF id under
which the job runs, not to the RACF id of the job scheduler itself (unless,
of course, they are the same RACF id).
2: I believe in recent JES2 incarnations that internal reader use happens
in the address space of the submitter. I am trying to find a method to
restrict a certain job class to only being used by the production job
scheduler.
2A: Does a SAF profile exist to protect job class?
This is now available in z/OS 2.1.
http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/ControllingJobClassUsage.htm
2B: If not, is it better to use IEFUJV or a JES exit to restrict this use?
Note that either WHEN(PROGRAM()) or some method of determining the job
name of the submitter from within the exit has to be used, because of
userid propagation - if the scheduler submits a job that then writes to the
internal reader, the scheduler-supplied ID is propagated. I am not sure
whether PROPCNTL can be used to restrict that propagation without ill
effect (but will experiment on a test partition).
--
While a transcendent vocabulary is laudable, one must be eternally careful
so that the calculated objective of communication does not become ensconced
in obscurity. In other words, eschew obfuscation.
111,111,111 x 111,111,111 = 12,345,678,987,654,321
Maranatha!
John McKown
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN