How can I secure who can submit a batch job where the jobname starts with the letter P*?

Document ID : KB000014303
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How can I secure who can submit a batch job where the jobname starts with the letter P*?

Answer:
Beyond the standard CA ACF2 JES security interface, there are other security 
calls that you can enable. These security calls are made using the System 
Authorization Facility (SAF).
 
JESJOBS validation controls both job submit and job cancel activity. The 
resource name format is:
 
SUBMIT.nodename.jobname.userid 
CANCEL.nodename.userid.jobname
 
To validate the JESJOBS Resource Class validations an ACF2 GSO SAFDEF, CLASMAP
and resource rule can be implemented.
 
  1. The default resource type for JESJOBS is SAF. If you want to use a different type 
    code, insert a GSO CLASMAP record as follows:

    ACF
    SET CONTROL(GSO)
    INSERT CLASMAP.jjobs RESOURCE(JESJOBS) RSRCTYPE(job)
    F ACF2,REFRESH(CLASMAP)

    Where job is the type code you select.

  2. Write resource rules for JESJOBS SUBMIT resource SUBMIT.nodename.jobname.userid

    ACF
    SET RESOURCE(job)
    RECKEY SUBMIT ADD( -.P- UID( user001 ) PREVENT
    RECKEY SUBMIT ADD( - UID(*) ALLOW)

    The above RECKEY commands will create the following resource rule that allows
    all logonids to submit any job and prevent logonid USER001 from submitting any
    Jobname that starts with P.

    $KEY(SUBMIT) TYPE(JOB) 
     -.P- UID( USER001 ) PREVENT
     - UID(*) ALLOW 

  3. Insert a GSO SAFDEF record to enable the SAF calls:

    ACF
    SET CONTROL(GSO)
    INSERT SAFDEF.jjobs ID(jjobs) RACROUTE(REQUEST=AUTH,CLASS=JESJOBS)
    F ACF2,REFRESH(SAFDEF)
Details can be found in section: "Security Classes" sub-section "JESJOBS"