JES spool protection in a CICS environment

Your installation can protect JES spool data sets with profiles in the JESSPOOL class.

Spool files created by the SPOOLOPEN commands have the userid of the CICS® region in their security tokens, not the userid of the person who issued the SPOOLOPEN command. Thus, the userid qualifier in the related JESSPOOL profiles is the CICS region's userid.

When the SPOOLOPEN INPUT command is used, CICS checks that the first four characters of the APPLID correspond to the external writer name of the spool file. This checking is independent of any RACF® checking that might also be done.

When the SPOOLWRITE command is used to write to the internal reader, CICS performs a surrogate user check to verify if the user is authorized to submit a job with the user ID specified on the job card. For more information, see Security for submitting a JCL job to the internal reader.