Micro Focus Enterprise Server 2.3 Update 1 for UNIX > Enterprise Server > Enterprise Server Security > Securing an Enterprise Server Installation > Security Reference Information > Resource Classes used by Enterprise Server > Resource Classes for JES Security

Resource Classes for JES Security

The table below defines the name of each default resource class used in Enterprise Server for JES security, its meaning, the type of resource entities it contains, and the minimum permission that a user requires on the entities.

DATASET

JES relation	Entities	ACCESS LEVEL
Dataset Names	Files	None, Read, Update, Alter

JESINPUT

JES relation	Entities	ACCESS LEVEL
Conditional access support for commands or jobs entered into the system through a JES input device.	INTRDR = Jobs submitted via Internal Reader as a result of executing JCL. STCINRDR=Jobs submitted via Internal Reader as a result of the execution of a CICS or IMS transaction. TSUINRDR = Jobs submitted via the ESMAC JES "Control" page and/or the cassub command line interface.	None, Read

JES relation

Entities

ACCESS LEVEL

Conditional access support for commands or jobs entered into the system through a JES input device.

INTRDR = Jobs submitted via Internal Reader as a result of executing JCL.

STCINRDR=Jobs submitted via Internal Reader as a result of the execution of a CICS or IMS transaction.

TSUINRDR = Jobs submitted via the ESMAC JES "Control" page and/or the cassub command line interface.

None, Read

JESJOBS

JES relation	Entities	ACCESS LEVEL
Controlling the submission and cancellation of jobs by job name.	CANCEL `nodename.userid.jobname` (for job cancellation authority) SUBMIT `nodename.jobname.userid` (for job submissions) where `nodename` is the name of the enterprise server. These rules are not typically used, but they do provide granularity of control for those environments with special requirements.	NONE Allows no access. READ Allows user to submit jobs UPDATE Equivalent to READ. CONTROL Equivalent to UPDATE. ALTER Allows jobs to be cancelled .

JES relation

Entities

ACCESS LEVEL

Controlling the submission and cancellation of jobs by job name.

CANCEL: nodename.userid.jobname (for job cancellation authority)
SUBMIT: nodename.jobname.userid (for job submissions)

where nodename is the name of the enterprise server.

These rules are not typically used, but they do provide granularity of control for those environments with special requirements.

NONE: Allows no access.
READ: Allows user to submit jobs
UPDATE: Equivalent to READ.
CONTROL: Equivalent to UPDATE.
ALTER: Allows jobs to be cancelled .

JESSPOOL

JES relation	Entities	ACCESS LEVEL
Controlling access to job data sets on the JES spool (Joblog, SYSOUT and Messages.	`localnodeid.userid.jobname.jobid.dsnumber.name` where localnodeid the name of the enterprise server dsnumber the relative dataset number for the job e.g. 001 name the dd name These rules are not typically used, but they do provide granularity of control for those environments with special requirements.	NONE Allows no access. READ Allows user to view the spool data set, but not change its attributes. For example, this does not allow the following keywords on the OUTPUT command: NOKEEP, NOHOLD, DELETE, NEWCLASS, and DEST. UPDATE Allows to update a spool data set. CONTROL Equivalent to UPDATE. ALTER Allows any operand specified on the TSO OUTPUT command, including deleting and printing. Also, when specified for a discrete profile, allows the user to change the profile itself.

JES relation

Entities

ACCESS LEVEL

Controlling access to job data sets on the JES spool (Joblog, SYSOUT and Messages.

localnodeid.userid.jobname.jobid.dsnumber.name

where

localnodeid: the name of the enterprise server
dsnumber: the relative dataset number for the job e.g. 001
name: the dd name

These rules are not typically used, but they do provide granularity of control for those environments with special requirements.

NONE: Allows no access.
READ: Allows user to view the spool data set, but not change its attributes. For example, this does not allow the following keywords on the OUTPUT command: NOKEEP, NOHOLD, DELETE, NEWCLASS, and DEST.
UPDATE: Allows to update a spool data set.
CONTROL: Equivalent to UPDATE.
ALTER: Allows any operand specified on the TSO OUTPUT command, including deleting and printing. Also, when specified for a discrete profile, allows the user to change the profile itself.

PHYSFILE

JES relation	Entities	ACCESS LEVEL
Controls access to the physical file when changes to the dataset are made. See the usage notes at the end of this table.	Physical files	None, Alter

SURROGAT

JES relation	Entities	ACCESS LEVEL
JES Class for controlling access to job submission by surrogates. If UserA wants to submit a job to run as UserB then he must have "Read" access to the SURROGAT class for entity UserB.SUBMIT	`execution-userid` .SUBMIT For example, if USERA is USERB's surrogate, Enterprise Server will check that USERA has read access for the entity, USERB.SUBMIT in the SURROGAT class.	None, Read

DATASET usage notes

Access rights to files within the dataset are enforced if you have a mainframe dialect Compiler directive set. To ensure that security is also applied if you are not using a mainframe dialect, set the FCDCAT and ASSIGN"EXTERNAL" compiler directives, then ensure files are not assigned dynamically or statically in a SELECT statement.

PHYSFILE usage notes

When a user with update access to a DATASET class makes changes, before the changes are applied to the physical file, the PHYSFILE class is checked for access rights. Changes are made only if the user has access rights to PHYSFILE.

For example, in ESMAC, user access to PHYSFILE is verified when a user creates a new file, and when the physical file name is changed. Changes are allowed only when the user has access rights to PHYSFILE.

If the PHYSFILE class does not exist, access is permitted. Note that in this case an access check will still be made (and if the Security Auditing feature is enabled, an access-denied audit record will be generated, unless the "allow unknown resources" option is enabled in the security configuration), but the JES engine treats a security result of "denied because resource class undefined" as an "allow" result.

Below is an example LDIF definition for PHYSFILE.

######################### 
# RACF Class = PHYSFILE # 
#########################
dn:CN=PHYSFILE,CN=Enterprise Server Resources,CN=MicroFocus,CN=RPIS,DC=mftesting,DC=com 
changetype: add
objectClass: top
objectClass: container 
description: JES Class for controlling access to physical files

######################### 
# physical file MYFILE #
######################### 
dn:CN=D\3A\\RPIS\\DATA\\MYFILE.DAT,CN=PHYSFILE,CN=Enterprise ServerResources,CN=Micro Focus,CN=RPIS,DC=mftesting,DC=com changetype: add
objectClass: microfocus-MFDS-Resource 
microfocus-MFDS-Resource-Class:PHYSFILE 
microfocus-MFDS-Resource-ACE: allow:ALLUSER group:alter
microfocus-MFDS-UID: mfuid