Ok, but the only way to submit a job via SYSOUT=(A,INTRDR) is to have TSO in the first place, right? What I'm asking is how users might submit batch who ~don't~ have TSO.
--- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* In an emergency, a drawstring from a parka hood can be used to strangle a snoring tent mate. -"Camping Tips" */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John Kelly Sent: Wednesday, September 4, 2019 14:21 If they have 'job' authority, they can submit a JOB via SYSOUT(A,INTRDR) --- On Wed, Sep 4, 2019 at 2:06 PM Bob Bridges <robhbrid...@gmail.com> wrote: > Not sure where to ask this, but I've wondered about it off and on for a > while and it's past time I asked. I'm responsible for security at a > mainframe shop where they use a lot of CICS. There are CICS transactions > that fire off batch jobs; the way this place handles it is to submit the > job under the authority of the CICS region ID (USER=<region> on the JOB > card), and give each user of such a transaction the necessary authority. > > This gives me the screaming heeby-jeebies, but when I complain about it I > get little support back. The problem, of course, is that if I'm authorized > to submit jobs with USER=<region> on the JOB card then I can submit ~any~ > such job, to do anything I want that the region can do. (And of course any > installation that's careless about letting folks have that authority is > even more careless about what their CICS regions can do.) > > One argument management offers in mitigation is that most of these CICS > users don't have TSO, so they haven't the ability to submit batch jobs. > Off-hand I can't contradict them, but I'm skeptical. I'm thinking there's > probably a way and I just don't know about it. Can anyone confirm? If I > were a CICS user without the ability to log on to TSO, could I still submit > a batch job somehow? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN