User Authorization to Issue Operator Commands

Several IOA facilities (such as IOAOPR, Control‑O rules) enable users to issue operator commands, including JES2 and JES3 commands.

The IOA security interface checks that the user is authorized to issue an operator command prior to executing the user’s operator command request.

The authorization check is done by verifying that the specified user has access to the entity $$IOACMD.qname.command, where command is derived from the command text.

For example, to authorize processing of requests to issue all operator commands, users must be authorized to access entity $$IOACMD.qname.* or $$IOACMD.qname.**

To allow a user’s request to issue the operator command ‘D J,L’, the user must be authorized to access entity $$IOACMD.qname.D.J.L

The CLASS checked is FACILITY; the entity used to check authorization is: $$IOACMD.qname.command‑text, where command text is the first 20 characters of the operator command, compressed according to the following rules:

• Multiple non-alphanumeric characters are replaced with one period.
• A dot at the end of a command is dropped.
• All non‑alphanumeric characters (blanks, commas, apostrophes, and so on) are replaced with dots.

  Table 10 Operator Command Checking

  Operator Command	Resulting ENTITY Checked
  D J,L	$$IOACMD.qname.D.J.L
  D J,L	$$IOACMD.qname.D.J.L
  SE ‘THIS IS A MESSAGE	$$IOACMD.qname.SE.THIS.IS.A.MESSAGE

The IOASE12 IOA security module verifies the user’s authority to issue operator commands. This module functions in a similar manner under both Basic and Extended Definition modes.

Some IOA components internally issue JES2/operator commands and must be authorized to do so. For example, the Control-M monitor issues $G D JES2 commands when the Extended NJE facility is activated (for details, see the description of the ENHNJE parameter in the INCONTROL for z/OS Installation Guide: Customizing).