I am cancelling jobs in SDSF, but the rule does not work, giving a violation instead.

Document ID : KB000032012
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

I am using SDSF to cancel jobs and STC's.  I wrote rules for this as documented in the CA ACF2 Administrator's Guide, Appendix C, Protecting Operator Commands, but for JES2 commands.  The documentation shows:

$key(mvs) type(opr)
 cancel.job.- uid(oper) service(update) allow
 cancel.stc.- uid(oper) service(update) allow
 
So I wrote:

$key(jes2) type(opr)
 cancel.job.- uid(oper) service(update) allow
 cancel.stc.- uid(oper) service(update) allow
 
But I still get a violation:
 
ACF04056 ACCESS TO RESOURCE JES2.CANCEL.STC TYPE ROPR BY logonid NOT AUTHORIZED
 
Resolution:
 
When the resource call is made from z/OS, the resource name for JES2 commands is different then MVS commands.  MVS commands are in the format of:
 
MVS.CANCEL.JOB.jobname
MVS.CANCEL.STC.jobname
 
while JES2 commands are in the format of:
 
JES2.CANCEL.JOB
JES2.CANCEL.STC
 
The resource name for the JES2 commands does not have the granularity that MVS commands do which include the jobname or STC name.  ACF2 cannot change this since this is a z/OS call.  So the JES2 commands will allow the cancellation of ALL batch jobs and STC's.  MVS commands can be selective.

 

Additional information:

For more information on securing commands in SDSF, see technical document TEC1413153