Hi Gilson,
If the CONSOLE class is active, you can use conditional access permissions to
limit users to cancelling jobs but only from within SDSF. This works in
combination with JESSPOOL profiles, and a user requires ALTER access to the
JESSPOOL profile for a job to cancel it.
PERMIT JES2.CANCEL.BAT CLASS(OPERCMDS) ID(*) ACCESS(UPDATE) WHEN(CONSOLE(SDSF))
Users will always be allowed full ALTER access to their own output regardless
of what the JESSPOOL profiles allow. You can use the Global Access Table to
grant this access more efficiently.
RDEFINE GLOBAL JESSPOOL ADDMEM(*.**/ALTER)
SETROPTS GLOBAL(JESSPOOL)
If the CONSOLE class is not active and you want to activate it to use this
capability, you must activate it with care as it is a default return code 8
class (no profile = no access). You could do the following.
SETROPTS GENERIC(OPERCMDS)
RDEFINE CONSOLE ** UACC(READ) <- Optionally add AUDIT(ALL) for future
remediation
SETROPTS CLASSACT(CONSOLE)
SETROPTS RACLIST(CONSOLE) <- Optional, but recommended for
performance
Regards, Bob
Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - OCT 19-23, 2020
- RACF Level I Administration - APR 27 - MAY 1, 2020
- RACF Level II Administration - APR 6-10, 2020
- RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020
- RACF - Securing z/OS UNIX - SEPT 28 - OCT 2, 2020
---
-Original Message-
Date:Tue, 18 Feb 2020 06:56:22 -0600
From:Gilson Cesar de Oliveira
Subject: Restrict users to Purge Jobs in TSO
Hello:
Does anyone know how to restrict the option to purge sysouts in JES2 Spool
through TSO (SDSF) but only the jobs which the user is the owner?
We have profiles in OPERCMDS class like JES2.CANCEL.BAT and we would like to
restrict the purge option only for sysouts generated by userA. UserB should not
have the permission to purge jobs from UserA.
Thanks in advance for any help.
Regards,
Gilson Cesar
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN