Securing resources
- The name that identifies a resource or group of resources
- The class of the resource
- The availability of the resource to all users
- A list of user IDs or group IDs that can access the resource and their authorization level, if needed
- An optional security label for the resource
- Other security-related information.
The profile name identifies a resource or set of resources to RACF. The name that identifies a resource to JES2 (defined in the initialization data set) is the basis of the profile name your RACF administrator uses to define the RACF profile.
Your security administrator defines different types of resources (printers, nodes, and SYSOUT, for example) to different RACF classes. Table 1 shows the JES2 resource type and the classes that your RACF administrator can use to define the resource.
JES2 resource | RACF profile name format | RACF classes | Class purpose |
---|---|---|---|
Commands from Network Job Entry (NJE) Nodes | NJE.nodename |
FACILITY |
Allows a node to issue commands to your system |
Commands from RJE Workstations | jesname.command[.qualifier] | OPERCMDS and FACILITY | Restrict commands to authorized users |
Data sets JES2 uses
|
'data set name' | DATASET (always active) | Prevents unauthorized access to data sets |
Data Sets Residing on Spool
|
localnodeid.userid.jobname.jobid.dsidentifier.name |
JESSPOOL | Restrict access to data on spool to authorized users |
Input Sources
Note: TSUINRDR and TSOINRDR are used interchangeably.
|
Note: TSUINRDR and TSOINRDR are used interchangeably.
|
JESINPUT (see note) | Restricts users submitting specific jobs to specific devices |
Job Group registration of a job to a job group | GROUPREG.node.groupname.userid | JESJOBS owned by the specified userID | Controls which users can register a job with the specified group |
Job modification and cancellation | HOLD.nodename.userid.jobname |
JESJOBS (see note) | Controls which jobnames and user IDs users can use when modifying or cancelling jobs. |
Local Commands | jesname.command[.qualifier] | OPERCMDS | Restricts commands to authorized users |
Network Job Entry (NJE) Nodes |
|
|
|
Output Devices
|
jesname.LOCAL.devicename |
WRITER | Restricts processing of output to specific devices |
Remote Job Entry (RJE) Workstations | RJE.workstation-id | FACILITY | Prevents unauthorized signon by remotes |
Update JESNEWS | jesname.UPDATE.JESNEWS | OPERCMDS | Restricts ability to create, update, and delete JESNEWS. |
Note: At least one profile that
defines all jobs must exist in this class when this class is active
or all jobs fail.
|
When RACF is active, every user must have a RACF user profile, any class in use must be active, and all resources you want to protect must have a resource profile (except those in the JESSPOOL class). Before JES2 completes a request for a resource from a user, JES2 requests authorization from SAF. SAF passes the request to RACF which determines the authority based on the existing profiles. If RACF is not active or cannot determine the authorization for a resource, JES2 carries out its own security processing, if any, for that resource. The z/OS Security Server RACF Security Administrator's Guide has additional information about profiles and access.