Re: Restrict users to Purge Jobs in TSO

[Robert S. Hansel (RSH)]

Hi Gilson,

If the CONSOLE class is active, you can use conditional access permissions to 
limit users to cancelling jobs but only from within SDSF. This works in 
combination with JESSPOOL profiles, and a user requires ALTER access to the 
JESSPOOL profile for a job to cancel it.

PERMIT JES2.CANCEL.BAT CLASS(OPERCMDS) ID(*) ACCESS(UPDATE) WHEN(CONSOLE(SDSF))

Users will always be allowed full ALTER access to their own output regardless 
of what the JESSPOOL profiles allow. You can use the Global Access Table to 
grant this access more efficiently.

RDEFINE GLOBAL  JESSPOOL ADDMEM(*.**/ALTER)
SETROPTS GLOBAL(JESSPOOL)

If the CONSOLE class is not active and you want to activate it to use this 
capability, you must activate it with care as it is a default return code 8 
class (no profile = no access). You could do the following.

SETROPTS GENERIC(OPERCMDS)
RDEFINE CONSOLE ** UACC(READ)   <- Optionally add AUDIT(ALL) for future 
remediation
SETROPTS CLASSACT(CONSOLE)
SETROPTS RACLIST(CONSOLE)   <- Optional, but recommended for 
performance


Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - OCT 19-23, 2020
- RACF Level I Administration - APR 27 - MAY 1, 2020
- RACF Level II Administration - APR 6-10, 2020
- RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020
- RACF - Securing z/OS UNIX  - SEPT 28 - OCT 2, 2020
---

-Original Message-
Date:Tue, 18 Feb 2020 06:56:22 -0600
From:Gilson Cesar de Oliveira 
Subject: Restrict users to Purge Jobs in TSO

Hello:

  Does anyone know how to restrict the option to purge sysouts in JES2 Spool 
through TSO (SDSF) but only the jobs which the user is the owner?

 We have profiles in OPERCMDS class like JES2.CANCEL.BAT and we would like to 
restrict the purge option only for sysouts generated by userA. UserB should not 
have the permission to purge jobs from UserA.


  Thanks in advance for any help.

  Regards,

  Gilson Cesar

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Restrict users to Purge Jobs in TSO

[Robin Atwood]

You need to investigate the RACF JESSPOOL class. It's in z/OS SDSF Operation 
and Customization.

HTH
Robin

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Gilson Cesar de Oliveira
Sent: 18 February 2020 19:56
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Restrict users to Purge Jobs in TSO

Hello:

  Does anyone know how to restrict the option to purge sysouts in JES2 Spool 
through TSO (SDSF) but only the jobs which the user is the owner?

 We have profiles in OPERCMDS class like JES2.CANCEL.BAT and we would like to 
restrict the purge option only for sysouts generated by userA. UserB should not 
have the permission to purge jobs from UserA.


  Thanks in advance for any help.

  Regards,

  Gilson Cesar

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Restrict users to Purge Jobs in TSO

[Gilson Cesar de Oliveira]

Hello:

  Does anyone know how to restrict the option to purge sysouts in JES2 Spool 
through TSO (SDSF) but only the jobs which the user is the owner?

 We have profiles in OPERCMDS class like JES2.CANCEL.BAT and we would like to 
restrict the purge option only for sysouts generated by userA. UserB should not 
have the permission to purge jobs from UserA.


  Thanks in advance for any help.

  Regards,

  Gilson Cesar

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN