IBM Mainframe Forum Index
 
Log In
 
IBM Mainframe Forum Index Mainframe: Search IBM Mainframe Forum: FAQ Register
 

Don't allow CICS to submit batch jobs


IBM Mainframe Forums -> JCL & VSAM
Post new topic   Reply to topic
View previous topic :: View next topic  
Author Message
prino

Senior Member


Joined: 07 Feb 2009
Posts: 1306
Location: Vilnius, Lithuania

PostPosted: Mon Jul 25, 2016 3:26 pm
Reply with quote

The title tells it all, we ("that system") want to totally prevent users from submitting batch jobs from CICS using RACF.

Any clues? Feel free to PM me if replies are sensitive.
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8797
Location: Welsh Wales

PostPosted: Mon Jul 25, 2016 5:32 pm
Reply with quote

If CICS uses the INTRDR, then that can be controlled via RACF
Back to top
View user's profile Send private message
steve-myers

Active Member


Joined: 30 Nov 2013
Posts: 917
Location: The Universe

PostPosted: Mon Jul 25, 2016 7:42 pm
Reply with quote

expat wrote:
If CICS uses the INTRDR, then that can be controlled via RACF

There is a RACF class PROPCNTL, resource xxxx, where xxxx is the jobname of the CICS, but it appears the "perp" was bypassing whatever CICS interface is used for batch job submission, which presumably tests this resource.

Outside of TSO, there is no RACF capability to deny use of INTRDR.
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8797
Location: Welsh Wales

PostPosted: Mon Jul 25, 2016 7:54 pm
Reply with quote

steve-myers wrote:
Outside of TSO, there is no RACF capability to deny use of INTRDR.


www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.hasa300/has2v5_Securing_resources.htm
Back to top
View user's profile Send private message
steve-myers

Active Member


Joined: 30 Nov 2013
Posts: 917
Location: The Universe

PostPosted: Mon Jul 25, 2016 8:28 pm
Reply with quote

Interesting. I didn't know about JESINPUT/INTRDR. It will need more analysis.
Back to top
View user's profile Send private message
Rohit Umarjikar

Global Moderator


Joined: 21 Sep 2010
Posts: 3048
Location: NYC,USA

PostPosted: Mon Jul 25, 2016 9:42 pm
Reply with quote

Also,
Code:
Attention:
Any CICS user, whether signed on or not, is able to submit jobs that use the SURROGAT userid, if the CICS userid has authority for SURROGAT. If your installation is using transient data queues to submit jobs, you can control who is allowed to write to the transient data queue that goes to the internal reader. However, if your installation is using EXEC CICS SPOOLOPEN to submit jobs, you cannot control who can submit jobs (without writing an API global user exit program to screen the commands). CICS spool commands do no CICS resource or command checking.
You can use an EXEC CICS ASSIGN USERID command to find the userid of the user who triggered the application code. Application programmers can then provide code that edits a USER operand onto the JOB card destined for the internal reader.For a complete description of surrogate job submission support, see the z/OS Security Server RACF Security Administrator's Guide

SETROPTS
LOGON/JOB INITIATION - NOT AUTHORIZED TO APPLICATION
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic View Bookmarks
All times are GMT + 6 Hours
Forum Index -> JCL & VSAM

 


Similar Topics
Topic Forum Replies
No new posts Using API Gateway from CICS program CICS 0
No new posts How to get a stack trace on a looping... ABENDS & Debugging 5
No new posts Calling Java method from batch COBOL ... COBOL Programming 5
No new posts How to create a list of SAR jobs with... CA Products 3
No new posts Calling an Open C library function in... CICS 1
Search our Forums:

Back to Top