Actions against jobs: execution limitations

You must have certain security authorizations to perform Job Monitor JES operator commands.
The second phase of JES spool command security, after specifying the permitted targets, includes the permits you need to execute operator commands. This authorization is enforced by the z/OS® and JES security checks.
Note: Show JCL is not an operator command like the other Job Monitor commands (Hold, Release, Cancel, and Purge), so the limitations below do not apply to Show JCL.

Job Monitor issues all JES operator commands that you or another user requests through an extended MCS (EMCS) console, whose name is controlled with the CONSOLE_NAME directive, as documented in Job Monitor configuration file BLZJCNFG.

With this setup, you or the security administrator can define granular command execution permits using the OPERCMDS and CONSOLE classes.

Your security software prevents the assumption of the identity of the Job Monitor server by creating a JMON console from a TSO session. Even though the console can be created, the point of entry is different: Job Monitor versus TSO. JES commands that you issue from this console will fail the security check if your security is set up as documented in this information center, and if you or another user does not have authority to JES commands through other means.

Note: If the console name is already in use, Job Monitor cannot create the console when a command must be executed. To prevent this, you can set the GEN_CONSOLE_NAME=ON directive in the Job Monitor configuration file, or you can define security profiles to stop TSO users from creating a console.

The following sample RACF® commands prevent all unauthorized users from creating a TSO or SDSF console:

Note: Users who are not authorized to make these operator commands can still submit jobs and read job output through Job Monitor if they have sufficient authority to access profiles that might protect these resources, like those in the JESINPUT, JESJOBS, and JESSPOOL classes.

Refer to Security Server RACF Security Administrator's Guide (SA22-7683) for more information on operator command protection.


Feedback