How to restrict access to ESMAC activities? Can this be done using MFDS internal security option?

The activities you list are not part of MFDS, so they cannot be restricted using MFDS Internal Security.

All of the activities you mention (submit a job, etc) are part of Enterprise Server Monitor and Control (ESMAC). Although MFDS gives you a link to the ESMAC web site for a server, ESMAC is not part of MFDS. (This unfortunately is not obvious in the user interface.)

ESMAC is provided by an Enterprise Server instance, not by MFDS, so MFDS security has no effect on it.

To restrict options in ESMAC, you have to enable security for your Enterprise Server. The simplest option is to use Enterprise Server legacy security. For more information, see the "Enterprise Server Security" book in the product documentation, particularly the section "Legacy Security Options".

Thanks Michael. But I read the Legacy Security Options but that is very confusing. Can you please tell me the steps to restrict actions like deleting the file, submitting jobs for the user logging to ES admin page

Just curious but why would you give your users access to the admin page ??

Just curious but why would you give your users access to the admin page ??

Setting up security is not a simple process. I can't provide detailed instructions in a forum post. I recommend very strongly that anyone wanting to enable security in Enterprise Server read the related documentation and experiment with the settings until they're comfortable with the ES security architecture.

That said, here is an overview:

1. Create a security manager that uses the casesm (CAS Legacy Security) module
   1. Go to the Security page and the Security Managers tab
   2. Click Add...
   3. Name the manager "CAS Legacy Security" (you can give it any name; this is the one I use below)
   4. For the Module field, enter "casesm"
   5. Click Add
2. Enable security for ES regions using the "Default ES Security" tab of the Security page
   
   1. I suggest initially checking the "Allow unknown users" and "Allow unknown resources" options; you can change these to increase security once you have your initial configuration working
   2. The "Verify against all security managers" and "Use all groups" options have no effect for the configuration I'm describing here, so it doesn't matter what they're set to. There's no reason at this point to enable the "Create audit events" option. The cache options have no effect.
   3. You don't need to put anything in the "Configuration information" area
   4. Click Apply to save the options
   5. Click Add... to add a security manager
   6. Select CAS Legacy Security and click Add
   7. Click OK to save your Default ES Security configuration
3. Enable legacy security for your ES region
   1. Start the region
   2. Go to the ESMAC home page for that region (in ES Admin, edit the server, go to the Control tab, and click ES Monitor & Control)
   3. Define the "mfuser" user, if it is not listed:
      
      1. Click Users, then New (Note: If you do not see the Users button in the left-hand menu of the ESMAC page, stop the region, edit it in ES Admin, go to the Properties tab and then to the Security tab, uncheck "Use default ES security", and click OK. Restart the region and complete the tasks in ESMAC, then stop the region, edit it, and check "Use default ES security" again.)
      2. Set the user name to "mfuser"
      3. Make sure the first checkbox under Security Keys is checked and all the rest are clear
      4. Click Add
   4. If you are not still on the mfuser properties page, edit the mfuser user
   5. Select the "Local ES Security enabled" checkbox and click Apply
4. Using the Users option in ESMAC, define users named "CICSUSER", "IMSUSER", and "JESUSER"
5. Stop and restart the region

The default ESMAC user is the "mfuser" that you just created. Note in the ESMAC user setting page there is a checkbox for "JCL Submit", which is unchecked by default. This will prevent users who do not have an ID of their own from submitting JCL. You can also set a password for the mfuser account, preventing people from using ESMAC without a password. Or you can clear the "ESMAC Access" checkbox for mfuser (though make sure you create another user account you can use for ESMAC first). The "JES" resource access setting for users can be used to restrict access to JES resources.

See the documentation for more information.