Hi Ms. Terri,
The OPERCMDS JES2.CANCEL.** profiles protect the JES2 ($C...) cancel command.
I believe you also need to use the OPERCMDS MVS.CANCEL.STC.mbrname.id profile
to protect the MVS CANCEL command.
So in your case, that would be something like this: (if your running CICS as an
STC!)
MVS.CANCEL.STC.C30TCI* (G)
MVS.CANCEL.STC.** (G)
Roger W. Suhr
suhr...@gmail.com
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of
Shaffer, Terri
Sent: Tuesday, February 7, 2023 8:32
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: RACF - SDSF question
Hi,
I know there is a RACF group, but hopefully this is simple and I am just
missing something I have done 100 times over with no issues.
We run our CICS regions as batch jobs, and I just found out a user instead of
them issuing a CEMT PERF SHUT command, they are canceling it.
Which then causing a 100 vsam messages on startup with all the verifies, and if
something goes wrong they call me...
So I tried to stop this habit, I know they are putting a C beside the CICS and
a $CJ(xxxxx) command
So I have 2 rules in RACF under OPERCMDS
JES2.CANCEL.BAT.C30TCI* (G)
JES2.CANCEL.BAT.** (G)
If I restrict the BAT.** then they cant cancel even their own batch jobs, So I
always thought more specific is looked at first?
One of my previous co-workers implemented SDSF-RACF rules converted from
ISFPARMS.
Lastly, I understand this doesn’t stop them from canceling any other jobs, but
since this is a development shop we allow more access than most.
But I don’t want users canceling a CICS or DB2 etc.
Any ideas how they are getting the access and not stopped with the more
specific rule??
Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide – Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com
________________________________
[https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg]
<http://www.aciworldwide.com> This email message and any attachments may
contain confidential, proprietary or non-public information. The information is
intended solely for the designated recipient(s). If an addressing or
transmission error has misdirected this email, please notify the sender
immediately and destroy this email. Any review, dissemination, use or reliance
upon this information by unintended recipients is prohibited. Any opinions
expressed in this email are those of the author personally.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
