|
View previous topic :: View next topic
|
| Author |
Message |
Tom Walker
New User
Joined: 14 May 2009
Posts: 15
Location: Alpharetta, GA
|
|
|
|
| To set up an ACID (user id) in Top Secret that will be associated with the use of the 'INTRDR' function to submit jobs, what permissions are needed? It must require read access, at least, from our SYS1.PARMLIB, but what other accesses are used? If you only know the RACF permissions, I can probably translate them to Top Secret. |
|
| Back to top |
|
 |
expat
Global Moderator
Joined: 14 Mar 2007
Posts: 8797
Location: Welsh Wales
|
|
|
|
Unfortunately a site specific question. You will need to talk to your security people to find out what, if any, protection they have specified for using the INTRDR.
If you are security, then it will be a case of reading the fine manual. |
|
| Back to top |
|
|
Tom Walker
New User
Joined: 14 May 2009
Posts: 15
Location: Alpharetta, GA
|
|
|
|
Not to be argumentative, but it is not entirely a site specific question. Some common resources must be accessible for INTRDR to work, is that not so? Such as the JESSPOOL, STC, and OPERCMDS (these are 'facilities' in Top Secret parlance).
Let me ask a better question: does the job that is submitted by the INTRDR function carry a userid and does that job get its permissions from that userid rather than from the ACID/userid of the INTRDR started task? |
|
| Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008
Posts: 8697
Location: Dubuque, Iowa, USA
|
|
|
|
From the Security Server manual:
| Quote: |
17.14.3 Authorizing the Use of Input Sources
You can use RACF to limit which sources of input are valid for job submission, including RJP workstations, device readers, nodes, and internal readers. For example, you might want to prevent certain users from entering jobs from a particular RJP workstation.
To authorize the submission of work from specific input sources, take the following steps:
1. Ask your JES system programmer for the following information:
* The name of the device. This is described in the topic on authorizing the use of input sources in z/OS JES2 Initialization and Tuning Guide.
* The user ID or group name of the users you want to authorize or restrict.
* The universal access authority to associate with each device. Valid access authorities for input devices are:
NONE
Specifies that the input device can be used only by those users explicitly permitted through the access list.
READ
Specifies the minimum authority required to use the input source.
2. Define a profile for each input source, as follows:
RDEFINE JESINPUT source-name UACC(NONE)
3. It is strongly recommended that you create a profile with a UACC of READ for all JES input sources that are otherwise not defined:
RDEFINE JESINPUT ** UACC(READ)
This example assumes that a SETROPTS GENERIC(JESINPUT) was previously issued to turn generics on for this class and that a SETROPTS REFRESH was then done.
If you do not, users can access only JES input sources to which they (or their groups) are explicitly authorized.
4. For each protected input source, grant access to the users or groups who need to use it:
PERMIT source-name CLASS(JESINPUT) ID(user-or-group) ACCESS(READ)
5. When you are ready to start using the protection provided by the profiles you have created, activate the JESINPUT class:
SETROPTS CLASSACT(JESINPUT) REFRESH
If you activate this class and create no profiles for it, users cannot submit batch jobs. |
As far as user id propagation goes:
| Quote: |
For each previously validated RACF user who submits a batch job to JES through a JES internal reader, SAF propagates the following security information to the batch job:
* If USER is not specified on the JOB statement, the current RACF user ID is used.
* If PASSWORD is not specified on the JOB statement, the current user password is not required if the submitter propagates.
* If SECLABEL is not specified on the JOB statement, the submitter's current security label is used.
Note: If GROUP is not specified on the JOB statement, the default connect group is used from the user profile of the user used for the job. |
|
|
| Back to top |
|
|
Tom Walker
New User
Joined: 14 May 2009
Posts: 15
Location: Alpharetta, GA
|
|
|
|
| Thank you very much. That is a big help and a guide to my further research. |
|
| Back to top |
|
|
parsesource
New User
Joined: 06 Feb 2006
Posts: 97
|
|
|
|
if you have the permissions to to this set the acid into warn mode and track the necessary permissions with TSSUTIL
i think it´s
TSS PER(acid) TERMINAL(INTRDR) |
|
| Back to top |
|
|
|
|
