Activating the JESSPOOL class provides protection for SYSIN and SYSOUT data sets. However, you might want to allow specific users to see or work with the SYSIN and SYSOUT data sets created by other users. To do this, perform the following steps:

1. Create JESSPOOL profiles for the spool data sets:

   RDEFINE JESSPOOL profile-name UACC(NONE)

   where profile-name is a 6-part name with the following format:

   local-nodename.userid.jobname.jobid.dsidentifier.name

   where:

   local-nodename

   is the name of the node on which the SYSIN or SYSOUT data set currently resides. The local node name appears in the JES job log of every job.

   Note: It is recommended that you define a profile in the RACFVARS class named &RACLNDE, and use &RACLNDE for all profiles in the JESSPOOL class.

   userid

   is the user ID associated with the job. This is the user ID RACF® uses for validation purposes when the job runs.

   jobname

   is the name that appears in the name field of the JOB statement.

   jobid

   is the job ID assigned to the job by JES. The job ID appears in notification messages and the JES job log of every job.

   dsidentifier

   is the unique data set identifier that JES assigned to the spool data set. This identifier is 8 bytes of alphanumeric characters. It is an encoded printable representation of the internal data set number (data set key) of the SPOOL data set. The internal data set number and data set name (which includes the dsidentifier) are available from the Extended Status SSI (SSI 80).

   Note: The first 10 million data sets created by a job can be sorted chronologically on data set name. The same is true for data sets created after the first 10 million data sets. However, when the two subsets are sorted together, the resulting sequence is not in the order of data set creation.

   name

   is the name of the data set specified in the DSN= parameter of the DD statement. This name cannot be JESYSMSG, JESJCLIN, JESJCL, or JESMSGLG and follows the naming conventions for a temporary data set. For the temporary data set naming conventions, see z/OS MVS JCL Reference. If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES uses a single question mark (?).

   Note: You can specify generic characters for any of the qualifiers in the profile name. For example, you can substitute an asterisk (*) for one of the qualifiers, such as jobid, if it is not known.

   A sample JESSPOOL profile name could be as follows. If user MYUSER submits a job named MYJOB to run on NODEA, and JES assigns a job ID of JOB08237, and the value of DSN= for a SYSOUT data set is OUTPUT, the profile name for a SYSOUT data set created by this job could be:

   NODEA.MYUSER.MYJOB.JOB08237.D0000112.OUTPUT

   If job MYJOB is run several times, and the same protection is desired for the OUTPUT data set each time, the profile name could be:

   NODEA.MYUSER.MYJOB.*.*.OUTPUT

2. Give users the appropriate access authority, as follows:

   PERMIT profile-name CLASS(JESSPOOL)
          ID(userid|groupname)
          ACCESS(access-authority)

   where access-authority is one of the following:

   NONE

   Gives the user no access.

   READ

   Lets the user view the spool data set, but does not let the user change the data set's contents or attributes. For example, READ does not allow the following operands on the TSO OUTPUT command: DELETE, DEST, NEWCLASS, NOHOLD, and NOKEEP.

   UPDATE

   Lets the user read or update the contents of a spool data set. UPDATE does not allow the user to change the data set's attributes. UPDATE also allows users to update spool data sets opened by an application in the same address space.

   CONTROL

   Is equivalent to UPDATE.

   ALTER

   Lets the user read or update a spool data set or change the attribute of a spool data set. For example, ALTER allows any operand to be specified on the TSO OUTPUT command, including operands for deleting and printing. Also, when specified for a discrete profile, ALTER lets the user change the profile itself.