You must have certain security authorizations to perform
Job Monitor JES operator commands.
The second phase of JES spool command security, after specifying
the permitted targets, includes the permits you need to execute operator
commands. This authorization is enforced by the z/OS® and JES security checks.
Note: Show
JCL is not an operator command like the other Job Monitor
commands (Hold, Release, Cancel,
and Purge), so the limitations below do not apply
to Show JCL.
Job Monitor issues all JES
operator commands that you or another user requests through an extended
MCS (EMCS) console, whose name is controlled with the CONSOLE_NAME directive,
as documented in Job Monitor configuration file BLZJCNFG.
With this
setup, you or the security administrator can define granular command
execution permits using the OPERCMDS and CONSOLE classes.
- To use an EMCS console, you must have, at minimum, READ authority
to the MVS.MCSOPER.console-name profile in the OPERCMDS class.
Note: If
you do not define a profile, the system will grant the authority request.
- To execute a JES operator command, you must have sufficient authority
to access the JES%.** profile in the OPERCMDS class.
Note: If
you do not define a profile, or if the OPERCMDS class
is not active, JES will fail the command.
- You can also require that a user must use Job Monitor to perform
the operator command by specifying WHEN(CONSOLE(JMON)) on
the PERMIT definition. The CONSOLE class must
be active for this setup to work.
Note: It is sufficient for the CONSOLE to
be active. No profiles are checked for EMCS consoles.
Your security software prevents the assumption of the identity
of the Job Monitor server by creating a JMON console from a TSO session.
Even though the console can be created, the point of entry is different:
Job Monitor versus TSO. JES commands that you issue from this console
will fail the security check if your security is set up as documented
in this information center, and if you or another user does not have
authority to JES commands through other means.
Note: If the console
name is already in use, Job Monitor cannot create the console when
a command must be executed. To prevent this, you can set the GEN_CONSOLE_NAME=ON directive
in the Job Monitor configuration file, or you can define security
profiles to stop TSO users from creating a console.
The following
sample RACF® commands prevent
all unauthorized users from creating a TSO or SDSF console:
- RDEFINE TSOAUTH CONSOLE UACC(NONE)
- PERMIT CONSOLE CLASS(TSOAUTH) ACCESS(READ) ID(#userid)
- RDEFINE SDSF ISFCMD.ODSP.ULOG.* UACC(NONE)
- PERMIT ISFCMD.ODSP.ULOG.* CLASS(SDSF) ACCESS(READ) ID(#userid)
Note: Users who are not authorized to make these operator commands
can still submit jobs and read job output through Job Monitor if they
have sufficient authority to access profiles that might protect these
resources, like those in the JESINPUT, JESJOBS,
and JESSPOOL classes.
Refer to Security
Server RACF Security Administrator's
Guide (SA22-7683) for more information on operator command
protection.