Hi Gilson, If the CONSOLE class is active, you can use conditional access permissions to limit users to cancelling jobs but only from within SDSF. This works in combination with JESSPOOL profiles, and a user requires ALTER access to the JESSPOOL profile for a job to cancel it.
PERMIT JES2.CANCEL.BAT CLASS(OPERCMDS) ID(*) ACCESS(UPDATE) WHEN(CONSOLE(SDSF)) Users will always be allowed full ALTER access to their own output regardless of what the JESSPOOL profiles allow. You can use the Global Access Table to grant this access more efficiently. RDEFINE GLOBAL JESSPOOL ADDMEM(*.&RACUID.**/ALTER) SETROPTS GLOBAL(JESSPOOL) If the CONSOLE class is not active and you want to activate it to use this capability, you must activate it with care as it is a default return code 8 class (no profile = no access). You could do the following. SETROPTS GENERIC(OPERCMDS) RDEFINE CONSOLE ** UACC(READ) <- Optionally add AUDIT(ALL) for future remediation SETROPTS CLASSACT(CONSOLE) SETROPTS RACLIST(CONSOLE) <- Optional, but recommended for performance Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --------------------------------------------------------------------------- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - OCT 19-23, 2020 - RACF Level I Administration - APR 27 - MAY 1, 2020 - RACF Level II Administration - APR 6-10, 2020 - RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020 - RACF - Securing z/OS UNIX - SEPT 28 - OCT 2, 2020 --------------------------------------------------------------------------- -----Original Message----- Date: Tue, 18 Feb 2020 06:56:22 -0600 From: Gilson Cesar de Oliveira <gil...@gmail.com> Subject: Restrict users to Purge Jobs in TSO Hello: Does anyone know how to restrict the option to purge sysouts in JES2 Spool through TSO (SDSF) but only the jobs which the user is the owner? We have profiles in OPERCMDS class like JES2.CANCEL.BAT and we would like to restrict the purge option only for sysouts generated by userA. UserB should not have the permission to purge jobs from UserA. Thanks in advance for any help. Regards, Gilson Cesar ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
