View previous topic :: View next topic
|
Author |
Message |
prino
Senior Member
Joined: 07 Feb 2009 Posts: 1306 Location: Vilnius, Lithuania
|
|
|
|
The title tells it all, we ("that system") want to totally prevent users from submitting batch jobs from CICS using RACF.
Any clues? Feel free to PM me if replies are sensitive. |
|
Back to top |
|
|
expat
Global Moderator
Joined: 14 Mar 2007 Posts: 8797 Location: Welsh Wales
|
|
|
|
If CICS uses the INTRDR, then that can be controlled via RACF |
|
Back to top |
|
|
steve-myers
Active Member
Joined: 30 Nov 2013 Posts: 917 Location: The Universe
|
|
|
|
expat wrote: |
If CICS uses the INTRDR, then that can be controlled via RACF |
There is a RACF class PROPCNTL, resource xxxx, where xxxx is the jobname of the CICS, but it appears the "perp" was bypassing whatever CICS interface is used for batch job submission, which presumably tests this resource.
Outside of TSO, there is no RACF capability to deny use of INTRDR. |
|
Back to top |
|
|
expat
Global Moderator
Joined: 14 Mar 2007 Posts: 8797 Location: Welsh Wales
|
|
Back to top |
|
|
steve-myers
Active Member
Joined: 30 Nov 2013 Posts: 917 Location: The Universe
|
|
|
|
Interesting. I didn't know about JESINPUT/INTRDR. It will need more analysis. |
|
Back to top |
|
|
Rohit Umarjikar
Global Moderator
Joined: 21 Sep 2010 Posts: 3048 Location: NYC,USA
|
|
|
|
Also,
Code: |
Attention:
Any CICS user, whether signed on or not, is able to submit jobs that use the SURROGAT userid, if the CICS userid has authority for SURROGAT. If your installation is using transient data queues to submit jobs, you can control who is allowed to write to the transient data queue that goes to the internal reader. However, if your installation is using EXEC CICS SPOOLOPEN to submit jobs, you cannot control who can submit jobs (without writing an API global user exit program to screen the commands). CICS spool commands do no CICS resource or command checking.
You can use an EXEC CICS ASSIGN USERID command to find the userid of the user who triggered the application code. Application programmers can then provide code that edits a USER operand onto the JOB card destined for the internal reader.For a complete description of surrogate job submission support, see the z/OS Security Server RACF Security Administrator's Guide |
SETROPTS
LOGON/JOB INITIATION - NOT AUTHORIZED TO APPLICATION |
|
Back to top |
|
|
|