[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: JOBCLASS protection
From:       Marc Van der Meer1 <Marc_vd_Meer () NL ! IBM ! COM>
Date:       2020-08-20 7:50:12
Message-ID: OFE680E680.B8648C8A-ONC12585CA.002ACA20-C12585CA.002B0C87 () notes ! na ! collabserv ! com
[Download RAW message or body]

Let me rephrase - the switch profiles are in FACILITY, the jobclass 
specific profiles need to be defined in JESJOBS. So the manual is not 
wrong, it simply does not specify JESJOBS.

Marc







From:   Bob Bridges <robhbridges@GMAIL.COM>
To:     RACF-L@LISTSERV.UGA.EDU
Date:   20.08.2020 02:01
Subject:        [EXTERNAL] JOBCLASS protection
Sent by:        RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>


I don't understand the answers this OP has been getting.  I've never done 
it myself, but surely it's simply a matter of creating a profile for 
governing what CLASS may or may not be used and qualifying it using WHEN?

From the SysAdm manual:

/* Quote #1: */
Controlling job class usage:

An installation can control job class usage by granting access based on 
the submitter?s profile, or based on the owner?s profile, or both.  The 
control is based on the presence or absence of two FACILITY class 
profiles:

> If the profile JES.JOBCLASS.OWNER is defined in the FACILITY class, job 
class profiles for owners are enforced.

> If the profile JES.JOBCLASS.SUBMITTER is defined in the FACILITY class, 
job class profiles for submitters are enforced.

> If both profiles are defined in the FACILITY class, a job class must 
pass both sets of profiles before it is considered valid.

> If neither profile is defined in the FACILITY class, any job class can 
be used.

The job class profiles are of the form:

  JOBCLASS.localnodeid.jobclass.jobname

where:
  localnodeid  Is the name of the node on which the job is located
  jobclass     Is the 1 - 8 character job class that is being controlled
  jobname      Is the name that is in the name field of the JOB statement
/* Quote ends */

/* Quote #2: */
Limiting when a user can access the system:

Installations can limit a user's ability to log on by limiting:

> The user's ability to log on to the system to certain days of the week, 
and certain hours within each day

> The use of individual terminals (in the TERMINAL class only) to certain 
days of the week, and certain hours within each day

To limit the times during which a user can enter the system, use the WHEN 
operand on the ADDUSER and ALTUSER commands. For example, to specify that 
USER12 can enter the system only on weekdays between the hours of 7:00 
a.m. and 5:00 p.m., enter:

  ADDUSER USER12 WHEN(DAYS(WEEKDAYS) TIME(0700:1700))

Similarly, to control when users can access the system from a specific 
terminal, specify the WHEN operand on the RDEFINE and RALTER commands for 
the appropriate profile. For example, to specify that terminal TRM07C can 
be used at any time during the week, but not at all during the weekend, 
enter:

  RDEFINE TERMINAL TRM07C WHEN(DAYS(WEEKDAYS))

Note that on the RDEFINE command, TIME(ANYTIME) is the default.  The WHEN 
operand on these commands (for both users and terminals) allows you to 
specify individual days and specific times within these days.
/* Quote ends */

Am I missing something obvious?  Is RACF going to complain that WHEN is 
valid on TERMINAL-class profiles but not on other classes?

---
Bob Bridges, robhbridges@gmail.com, cell 336 382-7313

/* Back in the old days, most families were close-knit.  Grown children 
and their parents continued to live together, under the same roof, 
sometimes in the same small, crowded room, year in and year out, until 
they died, frequently by strangulation.  -Dave Barry */

-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of 
Shaun Totulis
Sent: Wednesday, August 19, 2020 16:55

I have been approached to restrict access to a specific jobclass during
business hours, but to open it up during off hours and weekends.

I am wondering if there is a way to restrict a specific groups access 
based
on day and time.  I think I have heard about something like this but can
not find it anywhere.  Any guidance or a different approach would be
greatly appreciated.




Tenzij hierboven anders aangegeven: / Unless stated otherwise above:
IBM Nederland B.V.
Gevestigd te Amsterdam
Inschrijving Handelsregister Amsterdam Nr. 33054214=
[prev in list] [next in list] [prev in thread] [next in thread]