John & Tony, John, you could use JESJOBS to restrict the batch use of non-PROTECTED IDs. If the user does not have READ access to a profile such as the one below, the user would not be permitted to submit jobs having USER=OTHERID with either the password or SURROGAT authority:
JESJOBS SUBMIT.*.*.OTHERID Use of these profiles would enable you to avoid having to code a submit exit. Tony, you might not be able to logon even with the password. If trying to enter TSO, the ID would need a UADS entry or a TSO segment with access to TSO resources. If trying to enter FTP, the ID would need an OMVS segment with uid and be connected to a group with a gid. (BTW, this is an area where FACILITY BPX.DEFAULT.USER can open exposures.) This has been an interesting thread. I tend to fall into the camp of preferring job naming conventions for jobs submitted by the job scheduler primarily to identify the corresponding application and owner and thus help production control and security ensure the correct batch ID is being assigned to each job, which can also be enforced with job scheduler exits. Several of my consulting engagements have involved straightening out batch ID assignments and access authority, and the lack of naming conventions makes this a much more difficult task. Regards, Bob --------------------------------------------------------------------- Robert S. Hansel | 2009 RACF Training Lead RACF Specialist | RSH Consulting, Inc. | > Audit for Results - Boston - NOV 3-5 www.rshconsulting.com | 617-969-8211 | Visit our website for registration & details --------------------------------------------------------------------- -----Original Message----- Date: Mon, 5 Oct 2009 15:08:18 -0500 From: "Tony B." <[email protected]> Subject: Re: Multiple jobs/same name If I knew the password I'd simply log on myself and submit...... From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of McKown, John Sent: Monday, October 05, 2009 2:47 PM To: [email protected] Subject: Re: Multiple jobs/same name > -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[email protected]] On Behalf Of Rick Fochtman > Sent: Monday, October 05, 2009 2:33 PM > To: [email protected] > Subject: Re: Multiple jobs/same name <snip> > But you still need to prevent testers from submitting jobs with a > production USERID. We used a TSO exit to remove USER/PASSWORD parms > from the JOB statement. Got a better idea? > > Please remember: much of what I describe was developed before RACF was > able to filter job submission. > > Rick > Use a PROTECTED id in RACF and SURROGAT authority to allow the scheduler's RACF id to submit jobs with the specified ID(s). PROTECTED says that you cannot use USER= & PASSWORD= on the job card to assign the RACF id. RACF will simply not allow it. The attempt fails with a RACF error. SURROGAT says that the scheduler can specify USER= without PASSWORD= to run a job with the specified (authorized) RACF id. This is what we do with CA-7 scheduling. Of course, you still need the submit exit for non-PROTECTED ids which a person may know the password to. And it is easy to bypass: //MYIDA JOB //SUBMIT EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSIN DD DUMMY //SYSUT2 DD SYSOUT=(*,INTRDR) //SYSUT1 DD DISP=SHR,DSN=some.pds(member) some.pds(member): //OTHERID JOB USER=otherid,PASSWORD=password //* THE REST OF THE JOB //* ... // -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * (817)-961-6183 cell [email protected] * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
