z/OS JES2 Initialization and Tuning Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Authorizing the use of operator commands

z/OS JES2 Initialization and Tuning Guide
SA32-0991-00

Your installation can require that only certain operators issue certain JES2 commands. There could also be a requirement to restrict commands coming in from RJE workstations, NJE nodes, or any other device.

To control commands, you should review the commands and your installation's security policy with your RACF® administrator and determine:
  • The list of commands you need to control
  • The command profile names
  • The appropriate the authority level for any restricted commands
  • The authority level your policy requires to issue a particular command
  • the list of users or groups authorized to issue each command.
The command resource names have the format: 
jesname.command[.qualifier]
where:
jesname
The name of the JES2 system requesting the command validation.
command
The name of the command.
qualifier
The type of object the command specifies. (For example, JOB or SYS.)

Table 2 contains a list of commands, a sample resource name for each command, and the minimum required authority level for each command. (If you give an operator access to a command with a lower authority than the authority in the table, RACF will not allow the operator to issue the command.) The authority levels give you a means of controlling commands that can affect your installation's processing.

Ensure that your RACF administrator activates the OPERCMDS class and defines each command profile to that class. In order to minimize the number of definitions, commands should be defined with generic profile name unless you are restricting specific commands. Supply your RACF administrator with a generic name that covers a group of commands and then group restricted commands in that group with a more specific name. For example, 
jesx.*
would define all commands as a group. Then, 
jesx.START.*
defines all start commands.

The first definition, jesx.*, could restrict a group of operators to only the commands that need READ authority. Then your RACF administrator would define any operators who would need access to all the start commands with CONTROL authority. The operators with CONTROL authority are able to issue all commands based on the RACF authority hierarchy shown in Table 1.

Table 1. RACF command authority hierarchy. The following assumes a specific profile does not exist that would prevent the operator from issuing a command.
Access Level Commands Operator Can Issue
CONTROL All commands
UPDATE All commands specified with UPDATE or READ
READ Only commands specified with READ

If you need to restrict commands to specific consoles, your RACF administrator should define an operator's access conditional to the console from which the operator enters the command. For more information on conditional access, see z/OS Security Server RACF Security Administrator's Guide.

If you expect commands to enter your system from local readers, you must have an operator issue the $S RDRx command rather than have JES2 start the reader. This ensures RACF has a specific userid to use when checking command authorization.

To control the commands entering from RJE workstations your security administrator must do the following:
  • Define the RJE workstation profile in the RACF FACILITY class.
  • Define the RJE workstation as a valid RACF userid using the remote name.
  • Permit the RJE userid to the command profiles the node can issue.
The FACILITY class profile for RMT(1) has the form: 
RJE.RMT1
The userid your administrator would define to RACF is RMT1.
Your administrator would use a similar process to define an NJE node in order to control commands.
  • Define the node to the RACF NODES class
  • Define the node to the RACF FACILITY class
  • Define the node as a RACF userid
  • Permit the node's userid to the command profiles the node can issue
The FACILITY class profile for node 1 named HYDEPARK is: 
NJE.HYDEPARK
To control access to commands from other NJE nodes, use the following NODES class profile: 
*.RUSER.*

Your security policy can require auditing of all commands issued, even if they are not valid on your system. You can audit commands that might be unknown to JES2 by defining a profile called JESx.UNKNOWN with a UACC of NONE and an AUDIT value of ALL. JES2 validates all unknown commands with the JESx.UNKNOWN profile.

If you need a finer level of control over your commands (for example, you want only certain operators to change the routing of a printer), you should use JES2 Exit 36. See z/OS JES2 Installation Exits for information about Exit 36.

Table 2. JES2 commands with profile names and minimum required authority
JES2 command Example profile name Minimum required user access level
$A A jesx.MODIFYRELEASE.JOB UPDATE
$A J jesx.MODIFYRELEASE.BAT UPDATE
$A JOBQ jesx.MODIFYRELEASE.JST UPDATE
$A S jesx.MODIFYRELEASE.STC UPDATE
$A T jesx.MODIFYRELEASE.TSU UPDATE
$ACTIVATE jesx.ACTIVATE.FUNCTION CONTROL
$ADD APPL jesx.ADD.APPL CONTROL
$ADD CONNECT jesx.ADD.CONNECT CONTROL
$ADD DESTID jesx.ADD.DESTID CONTROL
$ADD FSS jesx.ADD.FSS CONTROL
$ADD JOBCLASS jesx.ADD.JOBCLASS CONTROL
$ADD LINE jesx.ADD.LINE CONTROL
$ADD LOADMOD jesx.ADD.LOADMOD CONTROL
$ADD LOGON jesx.ADD.LOGON CONTROL
$ADD NETSRV jesx.ADD.NETSRV CONTROL
$ADD PROCLIB jesx.ADD.PROCLIB CONTROL
$ADD PRTnnnn jesx.ADD.DEV UPDATE
$ADD REDIRECT jesx.ADD.REDIRECT CONTROL
$ADD RMT jesx.ADD.RMT CONTROL
$ADD SOCKET jesx.ADD.SOCKET CONTROL
$ADD SRVCLASS jesx.ADD.SRVCLASS CONTROL
$B device jesx.BACKSP.DEV UPDATE
$C A** jesx.CANCEL.AUTOCMD ******
$C J jesx.CANCEL.BAT UPDATE
$C Lx.yy jesx.CANCEL.DEV UPDATE
$C O J jesx.CANCEL.BATOUT UPDATE
$C O JOBQ jesx.CANCEL.JSTOUT UPDATE
$C O S jesx.CANCEL.STCOUT UPDATE
$C O T jesx.CANCEL.TSUOUT UPDATE
$C S jesx.CANCEL.STC UPDATE
$C T jesx.CANCEL.TSU UPDATE
$C device jesx.CANCEL.DEV UPDATE
$C OFFn.JR jesx.CANCEL.DEV UPDATE
$C OFFn.JT jesx.CANCEL.DEV UPDATE
$C OFFn.SR jesx.CANCEL.DEV UPDATE
$C OFFn.ST jesx.CANCEL.DEV UPDATE
$D A jesx.DISPLAY.JOB READ
$D ACTIVATE jesx.DISPLAY.ACTIVATE READ
$D ACTRMT jesx.DISPLAY.ACTRMT READ
$D APPL jesx.DISPLAY.APPL READ
$D CKPTDEF jesx.DISPLAY CKPTDEF READ
$D CLASSGRP jesx.DISPLAY.CLASSGRP READ
$D CONDEF jesx.DISPLAY.CONDEF READ
$D CONNECT jesx.DISPLAY.CONNECT READ
$D DESTDEF jesx.DISPLAY.DESTDEF READ
$D DEStid jesx.DISPLAY.DESTID READ
$D F jesx.DISPLAY.QUE READ
$D I jesx.DISPLAY.INITIATOR READ
$D INITINFO jesx.DISPLAY.INITINFO READ
$D J jesx.DISPLAY.BAT READ
$D JES2 jesx.DISPLAY.SYS READ
$D JOBCLASS jesx.DISPLAY.JOBCLASS READ
$D JOBQ jesx.DISPLAY.JST READ
$D L(nnnn).JR(n) jesx.DISPLAY.L READ
$D L(nnnn).JT(n) jesx.DISPLAY.L READ
$D L(nnnn).SR(n) jesx.DISPLAY.L READ
$D L(nnnn).ST(n) jesx.DISPLAY.L READ
$D LINE jesx.DISPLAY.LINE READ
$D LOADmod jesx.DISPLAY.LOADMOD READ
$D M jesx.SEND.MESSAGE READ
$D MASDEF jesx.DISPLAY.MASDEF READ
$D MEMBer jesx.DISPLAY.SYS READ
$D MODULE jesx.DISPLAY.MODULE READ
$D N jesx.DISPLAY.JOB READ
$D NETSRV jesx.DISPLAY.NETSRV READ
$D NJEDEF jesx.DISPLAY.NJEDEF READ
$D NODE jesx.DISPLAY.NODE READ
$D O J jesx.DISPLAY.BATOUT READ
$D O JOBQ jesx.DISPLAY.JSTOUT READ
$D OPTSDEF jesx.DISPLAY.OPTSDEF READ
$D O S jesx.DISPLAY.STCOUT READ
$D O T jesx.DISPLAY.TSUOUT READ
$D PATH jesx.DISPLAY.PATH READ
$D PCE jesx.DISPLAY.PCE READ
$D PROCLIB jesx.DISPLAY.PROCLIB READ
$D PRT jesx.DISPLAY.DEV READ
$D PRTnnnn jesx.DISPLAY.DEV READ
$D Q jesx.DISPLAY.JOB READ
$D REBLD jesx.DISPLAY.REBLD READ
$D RDI jesx.DISPLAY.RDI READ
$D RDRnn jesx.DISPLAY.DEV READ
$D Rnnnnn.CON jesx.DISPLAY.DEV READ
$D Rnnnnn.PRm jesx.DISPLAY.DEV READ
$D Rnnnnn.PUm jesx.DISPLAY.DEV READ
$D Rnnnnn.RDm jesx.DISPLAY.DEV READ
$D REDIRect jesx.DISPLAY.REDIRECT READ
$D S jesx.DISPLAY.STC READ
$D SOCKET jesx.DISPLAY.SOCKET READ
$D SPOOL jesx.DISPLAY.SPOOL READ
$D SPOOLDEF jesx.DISPLAY.SPOOLDEF READ
$D SRVCLASS jesx.DISPLAY.SRVCLASS READ
$D SSI jesx.DISPLAY.SSI READ
$D SUBNET jesx.DISPLAY.SUBNET READ
$D T jesx.DISPLAY.TSU READ
$D TRACE(x) jesx.DISPLAY.TRACE READ
$D U jesx.DISPLAY.DEV READ
$D init stmt jesx.DISPLAY.initstmt READ
$D PUNnn jesx.DISPLAY.DEV READ
$DEL CONNECT jesx.DEL.CONNECT CONTROL
$DEL DESTID jesx.DEL.DESTID CONTROL
$DEL JOBCLASS jesx.DEL.JOBCLASS CONTROL
$DEL LOADMOD jesx.DEL.LOADMOD CONTROL
$DEL PROCLIB jesx.DEL.PROCLIB CONTROL
$E CKPTLOCK jesx.RESTART.SYS CONTROL
$E J jesx.RESTART.BAT CONTROL
$E JOBQ jesx.RESTART.JST CONTROL
$E LINE(x) jesx.RESTART.LINE CONTROL
$E LOGON(x) jesx.RESTART.LOGON CONTROL
$E MEMBER() jesx.RESTART.SYS CONTROL
$E NETSRV jesx.RESTART.NETSRV CONTROL
$E OFFn.JT jesx.RESTART.DEV UPDATE
$E OFFn.ST jesx.RESTART.DEV UPDATE
$E device jesx.RESTART.DEV UPDATE
$F device jesx.FORWARD.DEV UPDATE
$G A jesx.GMODIFYRELEASE.JOB UPDATE
$G C jesx.GCANCEL.JOB UPDATE
$G D jesx.GDISPLAY.JOB READ
$G H jesx.GMODIFYHOLD.JOB UPDATE
$G R jesx.GROUTE.JOBOUT UPDATE
$G R (for execution) jesx.GROUTE.JOBOUT UPDATE
$H A jesx.MODIFYHOLD.JOB UPDATE
$H J jesx.MODIFYHOLD.BAT UPDATE
$H JOBQ jesx.MODIFYHOLD.JST UPDATE
$H S jesx.MODIFYHOLD.STC UPDATE
$H T jesx.MODIFYHOLD.TSU UPDATE
$I device jesx.INTERRUPT.DEV UPDATE
$JD DETAILS jesxMON.DISPLAY.DETAIL READ
$JD HISTORY jesxMON.DISPLAY.HISTORY READ
$JD JES jesxMON.DISPLAY.JES READ
$JD MONITOR jesxMON.DISPLAY.MONITOR READ
$JD STATUS jesxMON.DISPLAY.STATUS READ
$J STOP jesxMON.STOP.MONITOR CONTROL
$L J jesx.DISPLAY.BATOUT READ
$L JOBQ jesx.DISPLAY.JSTOUT READ
$L S jesx.DISPLAY.STCOUT READ
$L T jesx.DISPLAY.TSUOUT READ
$M jesx.MSEND.CMD READ
$M SPL jesx.MIGRATE.FUNCTION CONTROL
$N jesx.NSEND.CMD READ
$N device jesx.REPEAT.DEV UPDATE
$O J jesx.RELEASE.BATOUT UPDATE
$O JOBQ jesx.RELEASE.JSTOUT UPDATE
$O S jesx.RELEASE.STCOUT UPDATE
$O T jesx.RELEASE.TSUOUT UPDATE
$P jesx.STOP.SYS CONTROL
$P I jesx.STOP.INITIATOR CONTROL
$P JES2 jesx.STOP.SYS CONTROL
$P JOBQ jesx.STOP.JST UPDATE
$P LINE(x) jesx.STOP.LINE CONTROL
$P LOGON(x) jesx.STOP.LOGON CONTROL
$P NETSRV jesx.STOP.NETSRV CONTROL
$P O J jesx.STOP.BATOUT UPDATE
$P O JOBQ jesx.STOP.JSTOUT UPDATE
$P O S jesx.STOP.STCOUT UPDATE
$P O T jesx.STOP.TSUOUT UPDATE
$P OFFn.JR jesx.STOP.DEV UPDATE
$P OFFn.JT jesx.STOP.DEV UPDATE
$P OFFn.SR jesx.STOP.DEV UPDATE
$P OFFn.ST jesx.STOP.DEV UPDATE
$P OFFLOADn jesx.STOP.DEV UPDATE
$P RMT(x) jesx.STOP.RMT CONTROL
$P S jesx.STOP.STC UPDATE
$P SPOOL jesx.STOP.SPOOL CONTROL
$P SRVCLASS jesx.STOP.SRVCLASS CONTROL
$P T jesx.STOP.TSU UPDATE
$P TRACE(x) jesx.STOP.TRACE CONTROL
$P XEQ jesx.STOP.SYS CONTROL
$P device jesx.STOP.DEV UPDATE
$PO JOBQ jesx.STOP.JSTOUT UPDATE
$PO JOB jesx.STOP.BATOUT UPDATE
$PO STC jesx.STOP.STCOUT UPDATE
$PO TSU jesx.STOP.TSUOUT UPDATE
$R ALL jesx.ROUTE.JOBOUT UPDATE
$R PRT jesx.ROUTE.JOBOUT UPDATE
$R PUN jesx.ROUTE.JOBOUT UPDATE
$R XEQ jesx.ROUTE.JOBOUT UPDATE
$S jesx.START.SYS CONTROL
$S A jesx.START.AUTOCMD CONTROL
$S I jesx.START.INITIATOR CONTROL
$S J jesx.START.BAT UPDATE
$S LINE(x) jesx.START.LINE CONTROL
$S LOGON(x) jesx.START.LOGON CONTROL
$S N jesx.START.NET CONTROL
$S OFFn.JR jesx.START.DEV UPDATE
$S OFFn.JT jesx.START.DEV UPDATE
$S OFFn.SR jesx.START.DEV UPDATE
$S OFFn.ST jesx.START.DEV UPDATE
$S OFFLOADn jesx.START.DEV UPDATE
$S RMT(x) jesx.START.RMT CONTROL
$S SPOOL jesx.START.SPOOL CONTROL
$S SRVCLASS jesx.START.SRVCLASS CONTROL
$S TRACE(x) jesx.START.TRACE CONTROL
$S XEQ jesx.START.SYS CONTROL
$S device jesx.START.DEV UPDATE
$T A(CREATE) jesx.MODIFY.AUTOCMD READ
$T A(OWNER) jesx.MODIFY.AUTOCMD READ
$T A(NOT OWNER) jesx.MODIFY.AUTOCMD CONTROL
$T APPL jesx.MODIFY.APPL CONTROL
$T BUFDEF jesx.MODIFY.BUFDEF CONTROL
$T CKPTDEF jesx.MODIFY.CKPTDEF CONTROL
$T CONDEF jesx.MODIFY.CONDEF CONTROL
$T CONNECT jesx.MODIFY.CONNECT CONTROL
$T DEBUG jesx.MODIFY.DEBUG CONTROL
$T DESTDEF jesx.MODIFY.DESTDEF CONTROL
$T DEStid jesx.MODIFY.DESTID CONTROL
$T ESTBYTE jesx.MODIFY.ESTBYTE CONTROL
$T ESTIME jesx.MODIFY.ESTIME CONTROL
$T ESTLNCT jesx.MODIFY.ESTLNCT CONTROL
$T ESTPAGE jesx.MODIFY.ESTPAGE CONTROL
$T ESTPUN jesx.MODIFY.ESTPUN CONTROL
$T EXIT jesx.MODIFY.EXIT CONTROL
$T FSS jesx.MODIFY.FSS CONTROL
$T I jesx.MODIFY.INITIATOR CONTROL
$T INTRDR jesx.MODIFY.INTRDR CONTROL
$T J jesx.MODIFY.BAT UPDATE
$T JOBCLASS jesx.MODIFY.JOBCLASS CONTROL
$T JOBDEF jesx.MODIFY.JOBDEF CONTROL
$T JOBPRTY jesx.MODIFY.JOBPRTY CONTROL
$T JOBQ jesx.MODIFY.JST UPDATE
$T LINE jesx.MODIFY.LINE CONTROL
$T LOADMOD jesx.MODIFY.LOADMOD CONTROL
$T LOGON jesx.MODIFY.LOGON CONTROL
$T MASDEF jesx.MODIFY.MASDEF CONTROL
$T MEMBER(x) jesx.MODIFY.SYS CONTROL
$T NETSRV jesx.MODIFY.NETSRV CONTROL
$T NODE jesx.MODIFY.NODE CONTROL
$T NJEDEF jesx.MODIFY.NJEDEF CONTROL
$T NUM jesx.MODIFY.NUM CONTROL
$T O J jesx.MODIFY.BATOUT UPDATE
$T O JOBQ jesx.MODIFY.JSTOUT UPDATE
$T O S jesx.MODIFY.STCOUT UPDATE
$T O T jesx.MODIFY.TSUOUT UPDATE
$T OFFx.yy jesx.MODIFY.OFF CONTROL
$T OFFLOADx jesx.MODIFY.OFFLOAD CONTROL
$T OUTCLASS jesx.MODIFY.OUTCLASS CONTROL
$T OUTDEF jesx.MODIFY.OUTDEF CONTROL
$T OUTPRTY jesx.MODIFY.OUTPRTY CONTROL
$T PCE jesx.MODIFY.PCE CONTROL
$T PRINTDEF jesx.MODIFY.PRINTDEF CONTROL
$T PROCLIB jesx.MODIFY.PROCLIB CONTROL
$T RECVopts jesx.MODIFY.RECVOPTS CONTROL
$T REDIRect jesx.MODIFY.REDIRECT CONTROL
$T RMT jesx.MODIFY.RMT CONTROL
$T S jesx.MODIFY.STC UPDATE
$T SMFDEF jesx.MODIFY.SMFDEF CONTROL
$T SOCKET jesx.MODIFY.SOCKET CONTROL
$T SPOOLDEF jesx.MODIFY.SPOOLDEF CONTROL
$T SPOOL jesx.MODIFY.SPOOL CONTROL
$T SRVCLASS jesx.MODIFY.SRVCLASS CONTROL
$T SSI jesx.MODIFY.SSI CONTROL
$T STCCLASS jesx.MODIFY.STCCLASS CONTROL
$T TPDEF jesx.MODIFY.TPDEF CONTROL
$T TRACEDEF jesx.MODIFY.TRACEDEF CONTROL
$T T jesx.MODIFY.TSU UPDATE
$T device jesx.MODIFY.DEV UPDATE
$T init stmt jesx.MODIFY.init stmt CONTROL
$T TSUCLASS jesx.MODIFY.TSUCLASS CONTROL
$VS* jesx.VS CONTROL
$Z A jesx.HALT.AUTOCMD CONTROL
$Z I jesx.HALT.INITIATOR CONTROL
$Z OFFLOADn jesx.HALT.DEV UPDATE
$Z SPOOL jesx.HALT.SPOOL CONTROL
$Z device jesx.HALT.DEV UPDATE
$ZAPJOB jesx.ZAP.JOB CONTROL
Parent topic: Using RACF to provide security

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014