To activate external security for Attach Job in CA-Roscoe you must specify ACFEXT=YES and JOBEXT=YES in the CA-Roscoe SYSIN parameters.
CA-Roscoe will now issue the standard SAF RACROUTE JESSPOOL security call before any job that is viewed using the CA-Roscoe Attach Job command. No security calls are issued before the job is released. The profile name is the standard JESSPOOL 6 part format as follows:localnodeid.userid.jobname.jobid.dsnumber.name
localnodid is the name of the node on which the SYSOUT data set currently resides. The local node ID appears in the JES job log of every job.
userid is the user ID associated with the job. This is the user ID RACF users for validation purposes when the job runs.
jobname is the name that appears in the name field of the JOB statement.
jobid is the job ID assigned to the JOB by JES. The job ID appears in notification messages and in the JES job log of every job.
dsnumber is the unique data set number JES assigned to the spool data set. A "D" is the first character of this qualifier.
name is the name of the data set specified in the DSN= parameter of the DD statement. This name cannot be JESYSMSG, JESJCLIN, JESJCL, or JESMSGLG and follows the naming conventions for a temporary data set. (See the JCL Reference.) If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES uses a single question mark (?).
Note: You can specify generic characters for any of the qualifiers in the profile such as jobid if it is not known.
A sample TSS permit:
TSS PERMIT(userid) JESSPOOL(node.userid.jobname.) ACCESS(UPDATE)