Your installation can protect JES spool data sets with profiles in the JESSPOOL class. Spool files created by the SPOOLOPEN commands have the userid of the CICS® region in their security tokens, not the userid of the person who issued the SPOOLOPEN command. Thus, the userid qualifier in the related JESSPOOL profiles is the CICS region's userid.
When using the SPOOLOPEN INPUT command, CICS checks that the first four characters of the APPLID correspond to the external writer name of the spool file. This checking is independent of any RACF® checking that may also be done.