Well, at least ~one~ person actually addressed his question! I was beginning to think I was going to have to research it myself, because no one else seemed to want to answer and I was beginning to feel a sort of corporate embarrassment about it.
--- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* The only thing UFO aliens deserve is to be ignored...and when we finally develop the right missiles, to have their smug, silvery little butts shot down. Not a single reported UFO sighting -- if true! -- describes the behavior of decent, polite, honorable visitors to our world. -David Brin in a 1998 on-line interview */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of retired mainframer Sent: Wednesday, May 6, 2020 18:22 As near as I can tell, the system as delivered uses the OPER resource of the TSOAUTH class only to control access to the OPERATOR command. If you want to control the ability to issue JES commands from batch without an exit, you will need to update the access list for other classes and profiles. You could duplicate the access list for TSOAUTH(OPER) for each of the profiles controlling the commands in question but it might be easier to follow Lizette's suggestion and control access to a specific set of job classes and use the JES2 JOBCLASS initialization statements to allow only those classes to issue commands. Depending on how carefully you want to control which commands are issued, you might need to play with the OPERCMDS class also. The JESJOBS resource class can be used to control the ability to submit jobs with names that do not match the userid plus a character. Other exits, such as IKJEFF53 may also be affected by these actions. > -----Original Message----- > From: Robert Hahne > Sent: Wednesday, May 06, 2020 1:35 PM > > I understand this is a RACF question . But thought someone can help me here > . We > have a requirement where TSO submit exit IKJEFF10 needs to be eliminated . > Currently it is written to ensure only those users with TSOAUTH(OPER) are > allowed > to submit jobs with any name . Rest of the users are only allowed to submit > jobs that > begins with their USERID . > > Also , the users are not allowed to issue JES commands in batch unless they > have > TSOAUTH(OPER) . Can we get both of these requirements done using RACF > profiles? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
