Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

INTRDR USE - WHAT SECURITY PERMISSIONS ARE NEEDED?

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> JCL & VSAM
View previous topic :: :: View next topic  
Author Message
Tom Walker

New User


Joined: 14 May 2009
Posts: 15
Location: Alpharetta, GA

PostPosted: Mon Oct 12, 2009 7:08 pm    Post subject: INTRDR USE - WHAT SECURITY PERMISSIONS ARE NEEDED?
Reply with quote

To set up an ACID (user id) in Top Secret that will be associated with the use of the 'INTRDR' function to submit jobs, what permissions are needed? It must require read access, at least, from our SYS1.PARMLIB, but what other accesses are used? If you only know the RACF permissions, I can probably translate them to Top Secret.
Back to top
View user's profile Send private message

expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Mon Oct 12, 2009 7:13 pm    Post subject:
Reply with quote

Unfortunately a site specific question. You will need to talk to your security people to find out what, if any, protection they have specified for using the INTRDR.

If you are security, then it will be a case of reading the fine manual.
Back to top
View user's profile Send private message
Tom Walker

New User


Joined: 14 May 2009
Posts: 15
Location: Alpharetta, GA

PostPosted: Mon Oct 12, 2009 8:26 pm    Post subject: INTRDR USE - WHAT SECURITY PERMISSIONS ARE NEEDED?
Reply with quote

Not to be argumentative, but it is not entirely a site specific question. Some common resources must be accessible for INTRDR to work, is that not so? Such as the JESSPOOL, STC, and OPERCMDS (these are 'facilities' in Top Secret parlance).
Let me ask a better question: does the job that is submitted by the INTRDR function carry a userid and does that job get its permissions from that userid rather than from the ACID/userid of the INTRDR started task?
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8120
Location: East Dubuque, Illinois, USA

PostPosted: Mon Oct 12, 2009 8:29 pm    Post subject:
Reply with quote

From the Security Server manual:
Quote:
17.14.3 Authorizing the Use of Input Sources

You can use RACF to limit which sources of input are valid for job submission, including RJP workstations, device readers, nodes, and internal readers. For example, you might want to prevent certain users from entering jobs from a particular RJP workstation.

To authorize the submission of work from specific input sources, take the following steps:

1. Ask your JES system programmer for the following information:

* The name of the device. This is described in the topic on authorizing the use of input sources in z/OS JES2 Initialization and Tuning Guide.

* The user ID or group name of the users you want to authorize or restrict.

* The universal access authority to associate with each device. Valid access authorities for input devices are:

NONE
Specifies that the input device can be used only by those users explicitly permitted through the access list.

READ
Specifies the minimum authority required to use the input source.

2. Define a profile for each input source, as follows:

RDEFINE JESINPUT source-name UACC(NONE)

3. It is strongly recommended that you create a profile with a UACC of READ for all JES input sources that are otherwise not defined:

RDEFINE JESINPUT ** UACC(READ)

This example assumes that a SETROPTS GENERIC(JESINPUT) was previously issued to turn generics on for this class and that a SETROPTS REFRESH was then done.

If you do not, users can access only JES input sources to which they (or their groups) are explicitly authorized.

4. For each protected input source, grant access to the users or groups who need to use it:

PERMIT source-name CLASS(JESINPUT) ID(user-or-group) ACCESS(READ)

5. When you are ready to start using the protection provided by the profiles you have created, activate the JESINPUT class:

SETROPTS CLASSACT(JESINPUT) REFRESH

If you activate this class and create no profiles for it, users cannot submit batch jobs.
As far as user id propagation goes:
Quote:
For each previously validated RACF user who submits a batch job to JES through a JES internal reader, SAF propagates the following security information to the batch job:

* If USER is not specified on the JOB statement, the current RACF user ID is used.

* If PASSWORD is not specified on the JOB statement, the current user password is not required if the submitter propagates.

* If SECLABEL is not specified on the JOB statement, the submitter's current security label is used.

Note: If GROUP is not specified on the JOB statement, the default connect group is used from the user profile of the user used for the job.
Back to top
View user's profile Send private message
Tom Walker

New User


Joined: 14 May 2009
Posts: 15
Location: Alpharetta, GA

PostPosted: Mon Oct 12, 2009 8:41 pm    Post subject: INTRDR USE - WHAT SECURITY PERMISSIONS ARE NEEDED?
Reply with quote

Thank you very much. That is a big help and a guide to my further research.
Back to top
View user's profile Send private message
parsesource

New User


Joined: 06 Feb 2006
Posts: 97

PostPosted: Tue Oct 13, 2009 11:30 pm    Post subject:
Reply with quote

if you have the permissions to to this set the acid into warn mode and track the necessary permissions with TSSUTIL

i think it´s

TSS PER(acid) TERMINAL(INTRDR)
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> JCL & VSAM All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
This topic is locked: you cannot edit posts or make replies. SORT trick needed bshkris SYNCSORT 6 Tue May 02, 2017 4:35 am
No new posts SDSF and SAF security danik56 TSO/ISPF 3 Wed Mar 15, 2017 12:51 pm
No new posts Help Needed with View Direct shailesh_do CA Products 2 Wed Jul 13, 2016 10:39 am
This topic is locked: you cannot edit posts or make replies. BBC is seeking a Security Operations ... Express Mainframe Jobs 0 Tue Dec 22, 2015 1:20 am
No new posts Information needed on using the COBAN... venugopal.dondla COBOL Programming 5 Thu Oct 08, 2015 3:34 pm


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us