Job Monitor issues all JES operator commands through an
extended MCS (EMCS) console, whose name is controlled with the CONSOLE_NAME directive,
as documented in Job Monitor configuration file BLZJCNFG.
The following
sample RACF® commands give Job
Monitor users conditional access to a limited set of JES commands:
Hold, Release, Cancel, and Purge. Users have only execution permission
if they issue the commands through Job Monitor. Replace the
#console placeholder
with the actual console name.
RDEFINE OPERCMDS MVS.MCSOPER.#console UACC(READ)
DATA('RATIONAL TEAM CONCERT'))
RDEFINE OPERCMDS JES%.** UACC(NONE)
PERMIT JES%.** CLASS(OPERCMDS) ACCESS(UPDATE)
WHEN(CONSOLE(JMON)) ID(*)
SETROPTS RACLIST(OPERCMDS) REFRESH
Notes: - Usage of the console is permitted if no MVS.MCSOPER.#console profile
is defined.
- The CONSOLE class must be active for WHEN(CONSOLE(JMON)) to
work, but there is no actual profile check in the CONSOLE class
for EMCS consoles.
- Do not replace JMON with the actual console name
in the WHEN(CONSOLE(JMON)) clause. The JMON keyword
represents the point-of-entry application, not the console name.
Attention: If you define JES commands
with universal access NONE in your security software,
you might impact other applications and operations. Test this before
you activate it on a production system.
Table 1 and Table 2 show the
operator commands issued for JES2 and JES3, and the discrete security
profiles that you can use to protect them.
Table 1. JES2 Job Monitor operator commands| Action |
Command |
OPERCMDS profile |
Required access |
| Hold |
$Hx(jobid)
with x = {J, S or T}
|
jesname.MODIFYHOLD.BAT
jesname.MODIFYHOLD.STC
jesname.MODIFYHOLD.TSU
|
UPDATE |
| Release |
$Ax(jobid)
with x = {J, S or T}
|
jesname.MODIFYRELEASE.BAT
jesname.MODIFYRELEASE.STC
jesname.MODIFYRELEASE.TSU
|
UPDATE |
| Cancel |
$Cx(jobid)
with x = {J, S or T}
|
jesname.CANCEL.BAT
jesname.CANCEL.STC
jesname.CANCEL.TSU
|
UPDATE |
| Purge |
$Cx(jobid),P
with x = {J, S or T}
|
jesname.CANCEL.BAT
jesname.CANCEL.STC
jesname.CANCEL.TSU
|
UPDATE |
Table 2. JES3 Job Monitor operator
commands| Action |
Command |
OPERCMDS profile |
Required access |
| Hold |
*F,J=jobid,H |
jesname.MODIFY.JOB |
UPDATE |
| Release |
*F,J=jobid,R |
jesname.MODIFY.JOB |
UPDATE |
| Cancel |
*F,J=jobid,C |
jesname.MODIFY.JOB |
UPDATE |
| Purge |
*F,J=jobid,C |
jesname.MODIFY.JOB |
UPDATE |
Notes: - The Hold, Release, Cancel,
and Purge JES operator commands, and the Show
JCL command, can be performed only against spool files that
the user ID owns, unless LIMIT_COMMANDS= with value LIMITED or NOLIMIT is
specified in the Job Monitor configuration file. Refer to Actions against jobs: target limitations for more
information.
- You can browse any spool file, unless LIMIT_VIEW=USERID is
defined in the Job Monitor configuration file. Refer to Access to spool files for more information.
- User who are not authorized for these operator commands can still
submit jobs and read job output through Job Monitor, provided that
they have sufficient authority to profiles that might protect these
resources, like those in the JESINPUT, JESJOBS and JESSPOOL classes.
Your security software prevents the assumption of the
identity of the Job Monitor server by creating a JMON console from
a TSO session. Even though the console can be created, the point of
entry is different: Job Monitor versus TSO. JES commands issued from
this console will fail the security check if your security is set
up as documented in this information center, and if you do not have
authority to the JES commands through other means.