Protecting data sets on spools

You can use RACF® to protect data sets that reside on spool, including spool files that JES appends to job output, such as JESNEWS. Using RACF prevent users other than the owner of a data set to read, copy, print, or delete sensitive job data.

To enable RACF protection of spool data sets, activate the JESSPOOL class: 
SETROPTS CLASSACT(JESSPOOL)
SETROPTS GENERIC(JESSPOOL)
Profiles are not required in the JESSPOOL class for protection to be in effect because the default for the class is failure when no profiles exist. IBM® recommends that you activate the generics for the JESSPOOL class because the profile names are system generated.
Note:
  1. When the JESSPOOL class is not active, data sets that reside on spool are not protected and could be accessed using APIs that do not require the program to be APF authorized. Products like SDSF and TSO/E will provide a level of protection for the spool data sets when the JESSPOOL class is not active, but that does not imply that the data that resides on spool cannot be accessed by any user on the system.
  2. When the JESSPOOL class is active, RACF ensures that only authorized users obtain access to job data sets on spool. Authorization to job data sets is provided through RACF user profiles. If there is no profile for a data set, only the user that created the data set can access, modify, or delete it.
  3. While a job is executing, RACF optionally audits actions against SYSIN and SYSOUT data sets. For SYSIN data sets, JES invokes RACF each time a SYSIN data set is allocated, opened, or deleted. For SYSOUT data sets, JES invokes RACF each time a SYSOUT data set is created, opened, deleted, or selected for output.
  4. For output selection, a data set can be selected by a TSO user through the TSO OUTPUT command. A profile must exist to enable users other than the creator to access data sets using the TSO OUTPUT command.
  5. External writers, which are usually started tasks that process output to special devices (such as microfiche), require at least ALTER access to the spool data sets they process. If your installation has external writers, and you activate the JESSPOOL class, you must either ensure that the external writers have ALTER access to appropriate JESSPOOL profiles, or define the external writers as a started procedure with the trusted attribute. You can define them either in the STARTED class or in the RACF started procedures table (ICHRIN03). Otherwise, the external writers cannot process output. Because external writers are installation-written programs, you are strongly recommended to avoid giving them the trusted attribute.
  6. If SDSF is installed on your system, JESSPOOL profiles control which action characters and overtypeable fields users can enter on SDSF panels. For complete information on creating JESSPOOL profiles for use with SDSF, see z/OS SDSF Operation and Customization.
  7. SYSOUT application program interface (SAPI) applications, which are usually started tasks that process output to special devices (like microfiche), require at least UPDATE access to the spool data sets they process. If your installation has SAPI applications, and you activate the JESSPOOL class, you must either ensure that the SAPI applications have UPDATE access to appropriate JESSPOOL profiles, or define the applications as a started procedure with the trusted attribute. You can define them either in the STARTED class or in the RACF started procedures table. Otherwise, the SAPI applications cannot process output.