z/OS JES3 Initialization and Tuning Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Controlling Where Output Can Be Processed

z/OS JES3 Initialization and Tuning Guide
SA32-1003-00

You can use the WRITER class to control where output can be printed. For example, you can authorize or restrict the use of writers for local printers and punches, remote workstations (RJE and RJP devices) and network nodes. You can also limit which classification of data can be sent to a particular device or node. See Authorizing Outbound Work for information about how to use the WRITER class to control outbound jobs and SYSOUT for NJE.

When the WRITER class is active, RACF® ensures that the user is authorized to use a writer. For network devices, RACF also verifies the security of outbound data sets to ensure that the originator is authorized to send the data set to another node in a network.

To control where output can be sent, do the following:
  1. Ask your JES system programmer for the following information:
    • The name of your JES system
    • If you are protecting local printers and punches, or RJE devices, their device names
    • If you are protecting network devices, the name of the node that will ultimately receive the output
      Note: The node name as specified in the JES initialization stream.
    • The security label, if you want to limit which classifications of output can be sent to a particular output destination
    • The list of users to be authorized or restricted from using a specific output destination.
  2. Create a profile in the WRITER class to protect each writer: 
    RDEFINE  WRITER  profile-name  UACC(appropriate-access)
    where profile-name has one of the following formats:
    • For local printers and punches: 
      jesname.LOCAL.devicename
    • For JES2 RJE devices: 
      jesname.RJE.devicename
    • For JES3 RJP devices: 
      jesname.RJP.devicename
    • For data whose destination is a node: 
      jesname.NJE.nodename

      where nodename is the name of the node to ultimately receive the output.

    Also, UACC can be one of the following:
    NONE
    Allows no access
    READ
    Allows all users to send output to the protected device or node.
  3. Give the appropriate access to users and groups: 
    PERMIT  profile-name  CLASS(WRITER)  ID(user or group)
        ACCESS(appropriate-access)
    where appropriate-access is one of the following:
    NONE
    Allows no access
    READ
    Allows the user or group to send output to the protected device or node.
  4. When you are ready to start controlling access to writers based on the profiles you have defined, activate the WRITER class:
    SETROPTS  CLASSACT(WRITER)
    Note: If SDSF 1.3 or later is installed on your system, WRITER profiles control which operations related to printers (such as displaying information about a printer or purging output) users can enter on SDSF panels. For complete information about creating WRITER profiles for use with SDSF 1.3, see SDSF Guide and Reference.
Parent topic: Providing security for JES3

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014