JES interface level (JESINTERFACELEVEL)

FTP allows for two settings for using the JES interface.

Select "Only jobs that match the ID under which user logged in (JESINTERFACELEVEL=1)", to specify the FTP server to use the JES interface provided in releases prior to OS/390 CS V2R10. At this level, the FTP user can submit jobs to JES, retrieve held output matching their logged-in user ID plus one character, and delete held jobs matching their logged-in user ID plus one character.

Select "Any job on any system where the user has JESSPOOL access. Requires special security setup. (JESINTERFACELEVEL=2)" to allow FTP users the ability to retrieve and delete any job in the system permitted by the security access facility (SAF) resource class JESSPOOL. For that reason, this setting should be specified only if the proper JES and SDSF security measures are in place. The SAF controls used for JESINTERFACELEVEL=2 are essentially a subset of those used by SDSF. Therefore, if an installation has customized SAF facilities for SDSF, then they are configured for FTP JES level 2. Before customizing the FTP-to-JES interface, complete JES customization. For example, JESJOBS is a Security Access Facility (SAF) class that controls which users can submit jobs to JES. JESSPOOL is the SAF that controls which users can access output jobs. Customize these SAF classes before beginning customization of the FTP-to-JES interface.

JESSPOOL defines resource names as <nodeid>.<userid>.<jobname>.<Dsid>.<dsname>. An FTP user can delete an output job if they have ALTER access to the resource that matches their nodeid, userid, and job name. If the FTP user has UPDATE access to the resource, they can list, retrieve, or GET the job output. (JESINTERFACELevel 2 uses the SAPI interface to JES, so UPDATE authority is required to list job status or retrieve job output.) For more information on JES security, refer to z/OS JES2 Initialization and Tuning Guide, SA22-7532. For more information on the SAPI interface, refer to z/OS MVS Using the Subsystem Interface, SA22-7642.

The FTP server employs SDSF resources to use three filters that control display of jobs.

  1. JESSTATUS can be changed with the SITE command to filter jobs in INPUT, ACTIVE, or OUTPUT state. The SDSF resources checked for these states are ISFCMD.DSP.INPUT.jesx, ISFCMD.DSP.ACTIVE.jesx, and ISFCMD.DSP.OUTPUT.jesx, respectively. At login time (USER command), the default value is set to ALL if READ access is allowed to all three classes. Otherwise SDSF attempts to set JESSTATUS to OUTPUT, ACTIVE, and then INPUT if the appropriate READ access is allowed. If no READ access is allowed to any of the classes, JESSTATUS is set to OUTPUT but JESOWNER and JESJOBNAME cannot be changed from the default. In this way, SAF controls can be put in place to limit FTP users to whatever status of jobs an installation requires.
  2. At login time, JESOWNER will have the value of the logged-in user ID. Authority to change JESOWNER is obtained through READ access to RACF profile ISFCMD.FILTER.OWNER. An FTP user who has READ access to ISFCMD.FILTER.OWNER can change the JESOWNER parameter with the SITE command.
  3. JESJOBNAME - At login time, JESJOBNAME will have the value of the logged-in user ID plus an asterisk (*). Authority to change JESJOBNAME is obtained through READ access to RACF profile ISFCMD.FILTER.PREFIX. An FTP user who has READ access to ISFCMD.FILTER.PREFIX can change the JESJOBNAME parameter with the SITE command.