How does CA Roscoe APAR RO61518 JES-USERS WITH READ ACCESS CAN PURGE JOBS USING DETACH JOB work?

Document ID : KB000019017
Last Modified Date : 14/02/2018
Show Technical Document Details

Question: 

We have installed RO61518 JES-USERS WITH READ ACCESS CAN PURGE JOBS USING DETACH JOB. It is not clear to me based on the fix information what else I need to do to activate this security. Do I have to still code the security check in the outexit? Or is just setting up the JESSPOOL rules enough because you already are doing the security call in DETACH JOB command?

Answer: 

RO61518 JES-USERS WITH READ ACCESS CAN PURGE JOBS USING DETACH JOB implements a security call for the DETACH JOB command to make sure the user issuing the D J command is authorized to PURGE the output from JES.

This is the way The DETACH JOB command works after applying RO61518. The OUTEXIT is no longer required. Just setting up the JESSPOOL rules is enough because Roscoe is now making the security call in DETACH JOB.

  1. PURGEs the job output from JES. First a security call is done to verify the user is authorized to delete the output from JES. If the user is not authorized to PURGE the job, the job is not purged. When the PURGE request is denied because of insufficient authority a new message, OUT103 JOB MODIFICATION NOT ALLOWED. JOB WAS DETACHED, is displayed to inform the user about his/her insufficient JES authority and that the job can still be found in the JESSPOOL.
  2. DETACHes the job regardless of the result of the security call.

    NOTE: The PURGE and the security call are not done when the job contains only Print files.

    The DETACH JOB NOACT command only DETACHEs the job. It doesn't attempt to delete the output from JES and therefore there is no security call done and no messages are displayed.

Summary:

Users with READ ONLY access issuing the command DETACH JOB

  1. PURGE request fails because of security;
  2. Message issued to user OUT103 JOB MODIFICATION NOT ALLOWED. JOB WAS DETACHED
  3. Job is detached and stays in SPOOL

Users with READ ONLY access issuing the command DETACH JOB NOACT

  1. No purge request was made
  2. Therefore no security call is made
  3. No message is displayed
  4. Job is detached and stays in SPOOL

Users with ALL access issuing the command DETACH JOB

  1. PURGE request is successful
  2. JOB is detached and is deleted from JESSPOOL

Users with READ ONLY access issuing the command DETACH JOB NOACT

  1. No purge request was made
  2. Therefore no security call is made
  3. No message is displayed
  4. Job is detached and stays in SPOOL

Additional Information:

There is a standalone PURGE command which is actually runs as a Roscoe monitor routine. The PURGE monitor was enhanced with APAR QO90965 UPDATE PURGE MONITOR TO MAKE JESSPOOL SECURITY CALL.