Start of change

(Optional) Steps for controlling user access to FTP JES mode

FTP uses the SAF resource EZB.FTP.sysname.ftpdaemonname.ACCESS.JES in the SERVAUTH class to control access to FTP JES mode. If you do not control access to this resource, then all users can use FTP JES mode. While in JES mode a user can submit a job, display job output, and delete job output. You are strongly encouraged to define a profile to control access to the EZB.FTP.sysname.ftpdaemonname.ACCESS.JES resource and grant read access only to users with a legitimate need to use JES mode.

Before you begin

You must have the authority to issue the necessary RACF® commands.

The following procedure assumes that you are using RACF as your security product. You can, however, use any SAF-compliant security product.

Procedure

Perform the following steps to control access to FTP JES mode.

  1. Define the profile for the FTP user access to FTP JES mode.
    The profile has the following form:
    RDEFINE  SERVAUTH   EZB.FTP.sysname.ftpdaemonname.ACCESS.JES

    For example, the profile name for FTP daemon FTPD running on system MVSA is the following name:

    EZB.FTP.MVSA.FTPD1.ACCESS.JES
    Tip: The profile name can contain wildcard values as allowed by the security product. All security-product rules (for example wildcards, PROTECTALL, and so on) apply. For example, if all systems will use the same access list and RACF generic profile checking is active for the SERVAUTH class, you could use the following profile name:
    EZB.FTP.*.FTPD1.ACCESS.JES
  2. Permit the user IDs that require access to JES mode to the profile: 
    PERMIT EZB.FTP.sysname.ftpdaemonname.ACCESS.JES CLASS(SERVAUTH)
       ID(ftpuser) ACCESS(READ)
    Tip:

    If you allow anonymous users to login by configuring the ANONYMOUS statement in FTP.DATA, consider whether those users require access to JES mode (such a requirement would be very unusual). If anonymous users do require access to JES mode, the anonymous user ID must be permitted to the profile. The anonymous user ID is configured on the ANONYMOUS statement or defaults to ANONYMO. See ANONYMOUS (FTP server) statement in z/OS Communications Server: IP Configuration Reference for more information.

  3. Take one of the following actions:
    • If the RACF SERVAUTH class is not already activated issue the following commands:
      SETROPTS CLASSACT(SERVAUTH)
SETROPTS RACLIST(SERVAUTH)
    • Otherwise (the SERVAUTH class is active), refresh the SERVAUTH class if a new profile has been added or an existing profile has changed: 
      SETROPTS RACLIST (SERVAUTH) REFRESH

Results

  • When you are finished, only certain users are able to access FTP JES mode.
  • When a user issues SITE FILETYPE=JES, the user's access to FTP JES mode is checked. If the user is not allowed to access FTP JES mode, the FILETYPE for the connection remains unchanged.
  • When a user logs into an FTP server that is configured with FILETYPE JES, the user's access to FTP JES mode is checked. If the user is not allowed to access FTP JES mode, the FILETYPE for the connection is set to the default value of sequential (SEQ) mode.
End of change