The table below defines the name of each default resource class used in Enterprise Server for JES security, its meaning, the type of resource entities it contains, and the minimum permission that a user requires on the entities.
| JES Class name
|
JES relation
|
Entities
|
ACCESS LEVEL
|
| DATASET
|
Dataset Names
|
Files
|
None, Read, Update, Alter
|
| JESINPUT
|
Conditional access support for commands or jobs entered into the system through a JES input device. INTRDR = Jobs submitted via Internal Reader as a result of executing JCL. STCINRDR=Jobs submitted via Internal Reader as a result of the execution of a CICS or IMS transaction. TSUINRDR = Jobs submitted via the ESMAC JES "Control" page and/or the cassub command line interface.
|
INTRDR, STCINRDR, TSUINRDR
|
None, Read
|
| JESJOBS
|
Controlling the submission and cancellation of jobs by job name.
|
- CANCEL
- nodename.userid.jobname (for job cancellation authority)
- SUBMIT
- nodename.jobname.userid (for job submissions)
where
nodename is the name of the enterprise server.
Note: These rules are not typically used, but they do provide granularity of control for those environments with special requirements.
|
- NONE
- Allows no access.
- READ
- Allows user to submit jobs
- UPDATE
- Equivalent to READ.
- CONTROL
- Equivalent to UPDATE.
- ALTER
- Allows jobs to be cancelled .
|
| JESSPOOL
|
Controlling access to job data sets on the JES spool (Joblog, SYSOUT and Messages.
|
localnodeid.userid.jobname.jobid.dsnumber.name
where
- localnodeid
- the name of the enterprise server
- dsnumber
- the relative dataset number for the job e.g. 001
- name
- the dd name
Note: These rules are not typically used, but they do provide granularity of control for those environments with special requirements.
|
- NONE
- Allows no access.
- READ
- Allows user to view the spool data set, but not change its attributes. For example, this does not allow the following keywords on the OUTPUT command: NOKEEP, NOHOLD, DELETE, NEWCLASS, and DEST.
- UPDATE
- Allows to update a spool data set.
- CONTROL
- Equivalent to UPDATE.
- ALTER
- Allows any operand specified on the TSO OUTPUT command, including deleting and printing. Also, when specified for a discrete profile, allows the user to change the profile itself.
|
| PHYSFILE
|
Controls access to the physical file when changes to the dataset are made.
See the usage notes at the end of this table.
|
Physical files
|
None, Alter
|
|
SURROGAT
|
JES Class for controlling access to job submission by surrogates. If UserA wants to submit a job to run as UserB then he must have "Read" access to the SURROGAT class for entity UserB.SUBMIT
|
execution-userid
.SUBMIT
For example, if USERA as USERB's surrogate, Enterprise Server will check that USERA has read access for the entity, USERB.SUBMIT in the SURROGAT class.
|
None, Read
|
DATASET usage notes
Access rights to files within the dataset are enforced if you have a mainframe dialect Compiler directive set. To ensure that security is also applied if you are not using a mainframe dialect, set the FCDCAT and ASSIGN"EXTERNAL" compiler directives, then ensure files are not assigned dynamically or statically in a SELECT statement.
PHYSFILE usage notes
When a user with
alter access to a DATASET class makes changes, before the changes are applied to the physical file, the
PHYSFILE class is checked for access rights. Changes are made only if the user has access rights to
PHYSFILE.
For example, in ESMAC, user access to
PHYSFILE is verified when a user creates a new file, and when the physical file name is changed. Changes are allowed only when the user has access rights to
PHYSFILE.
If the
PHYSFILE class does not exist, access rights are not verified before the changes to the physical file are made.
Below is an example LDIF definition for
PHYSFILE.
#########################
# RACF Class = PHYSFILE #
#########################
dn:CN=PHYSFILE,CN=Enterprise Server Resources,CN=MicroFocus,CN=RPIS,DC=mftesting,DC=com
changetype: add
objectClass: top
objectClass: container
description: JES Class for controlling access to physical files
#########################
# physical file MYFILE #
#########################
dn:CN=D\3A\\RPIS\\DATA\\MYFILE.DAT,CN=PHYSFILE,CN=Enterprise ServerResources,CN=Micro Focus,CN=RPIS,DC=mftesting,DC=com changetype: add
objectClass: microfocus-MFDS-Resource
microfocus-MFDS-Resource-Class:PHYSFILE
microfocus-MFDS-Resource-ACE: allow:ALLUSER group:update
microfocus-MFDS-Resource-ACE: deny:*:execute
microfocus-MFDS-UID: mfuid