I think it is noteworthy to state that activating and implementing the JESSPOOL class (and maybe also OPERCMDS) has implications beyond just SDSF.
The profiles for these classes will be checked for other software and user/public tools, for example output archiving and automated operations products. The only security resources owned by SDSF are the profiles in the “SDSF” class. There are some old Share presentations about JESSPOOL that may be useful : Share session 2665 “JES2 RACF Calls, Control Points and Profiles” (2007) Share session 19490 “Security in JES Best Practices” (2016) There was also a presentation I gave to GSE earlier this year entitled “SDSF Security – How it works on z/OS 2.5 and what has changed” that describes the SAF-only approach we now use in SDSF (If anyone wants a copy of this presentation, please let me know). There is also the new “SDSF Security Migration Guide” manual that we released to help with the SAF-only requirements for z/OS 2.5. Rob Scott Rocket Software From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Robert S. Hansel (RSH) Sent: 24 May 2022 14:16 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: SDSF & TSS (RACF) EXTERNAL EMAIL Hi Mark, When a user attempts to select a job, SDSF does an authorization check for each individual SYSOUT DDNAME associated with the job and can generate multiple violations like this. To address this issue, see article " Avoiding Output Browse Violation Messages in SDSF" in the July 2008 issue of our RACF Tips newsletter. https://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__July_2008.pdf<https://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__July_2008.pdf> Regards, Bob Robert S. Hansel 35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel<http://www.linkedin.com/in/roberthansel> www.twitter.com/RSH_RACF<http://www.twitter.com/RSH_RACF> www.rshconsulting.com<http://www.rshconsulting.com> -----Original Message----- Date: Mon, 23 May 2022 20:55:48 +0000 From: "Steely.Mark" <steely.m...@aaa-texas.com<mailto:steely.m...@aaa-texas.com>> Subject: SDSF & TSS (RACF) I am trying to convert our SDSF from using ISFPARMS to TSS for security. I need some direction on how to provide security for reports. Currently I am trying to use JESSPOOL to control access. The customer is allowed to view all currently active and held output jobs but may only look at certain JOBS & REPORTS. During testing I have this occurring: The customer is trying to view this job (which the customer is not authorized) COMMAND INPUT ===> PREFIX=* DEST=(ALL) OWNER=* SYSNAME= NP DDNAME StepName ProcStep DSID Owner C Dest JESMSGLG JES2 2 TS0242 R LOCAL JESJCL JES2 3 TS0242 R LOCAL JESYSMSG JES2 4 TS0242 R LOCAL The above is displayed when I put a ? in the Held output screen. This is just to show you the report has 3 different reports. Then the customer goes back to the screen which shows the job name: SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 55 LINE 1 COMMAND INPUT ===> PREFIX=B1* DEST=(ALL) OWNER=* SORT=JOBNAME/A SYSNAME= NP JOBNAME JobID Owner Prty C ODisp Dest B100042B JOB09087 TS0242 144 R HOLD LOCAL Then select the job and receives the following messages: TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000002.JESM> TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000003.JESJ> TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000004.JESY> TSS7141E Use of Accessor ID Suspended TSS7191E Job/Session Cancelled - Excessive Violations TSS7192E Session Locked - Excessive Violations: Signoff CS0042 LOGGED OFF TSO AT 14:57:54 ON MAY 23, 2022 IKJ56453I SESSION CANCELLED ****** I would hate to think someone would accidently try to look at an output they are not authorized to view and get their ID suspended. Maybe I am going at this all wrong. Is there a different way I should be doing this? Any help would be appreciated. We are currently at z/OS v2.4. Thank You ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu<mailto:lists...@listserv.ua.edu> with the message: INFO IBM-MAIN ================================ Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy ================================ This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
