Security settings for job CANCEL and joblog PURGE within Roscoe and SDSF output.

Document ID : KB000009103
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We want to provide a CANCEL authority to cancel job for each users. But, we do not want to provide a PURGE authority to purge joblog.
We defined the READ authority for JESSPOOL, in order to deter PURGE of joblog. But, we received the following security error message.
Please tell me how to set it up.

Current definition;
JESJOBS  CANCEL.*.&RACUID.*  ALTER
JESSPOOL *.user%%%.*  READ

Security message;
ICH408I USER(userid) GROUP(group) NAME(user name) nnn
INSUFFICIENT ACCESS AUTHORITY FROM *.user%%%.* (G) ACCESS INTENT (CONTROL) ACCESS ALLOWED (READ)
ICH408I USER(userid) GROUP(group) NAME(user name) nnn

localnode.userid.jobname.jobid CL(JESSPOOL) INSUFFICIENT ACCESS AUTHORITY FROM *.user%%%.* (G) ACCESS INTENT (CONTROL) ACCESS ALLOWED (READ)
localnode.userid.jobname.jobid CL(JESSPOOL)

Environment:
z/OSRoscoe R6.0/SP09(0612)
Cause:

The authority to CANCEL a job is equal to the authority required to PURGE a job in the RACF/SDSF world. But, Roscoe does not have any setting to perform the task exactly as you want. 

Resolution:

Using the OUTEXIT(Extended Facilities for System Programmers Guide) you might be able to build some type of table to ascertain which command is being issued and manage it with the OUTEXIT. But, this may not be easily maintained and automated. It is a possible option.

 

Additional Information:

Please see the 'OUTEXIT Job Output Exit' of the 'Extended Facilities for System Programmers Guide' for more information.