In our client's production environment, they want to disable the ESMAC CONTROL JCL Submit function for a series of users. However, they also have a CICS application (TSO CLIST replacement) that submits JCL to the INTRDR via a CASSUB command. They want the same set of users that don't have ESMAC CONTROL JES submission authority to have CASSUB authority for the CICS application. How do we configure the security for this type of environment?

To allow users to issue the cassub command or API and not submit via the JES SUBMIT button, set the CN=cassub,CN=OPERCMDS,CN=Enterprise Server Resources to read access.