Job descriptions and security

Every job in the system uses a job description during job initiation. This controls the various attributes of a job. The USER parameter controls the name of the user profile assigned to the job. A job description that has a user profile name (USER) specified should be authorized only to specific individuals. If not, at security level 30 and below, other users will be able to submit jobs to run under that user profile.

For example, consider

CRTJOBD JOBD(XX) USER(JONES) . . . AUT(*USE)

This example has security risks because any user can submit a job using the XX job description, and be authorized to whatever JONES is authorized to. If this type of job description is used on a workstation entry, it allows anyone to sign on as that user just by pressing the Enter key. To avoid any security exposure, do not authorize this type of job description to *PUBLIC.

Note: At security level 40 and 50, the Submit Job (SBMJOB) command requires the submitter to be authorized (*USE) to the user profile named in the job description. This assumes that the SBMJOB specifies user (*JOBD). Nevertheless, avoid specifying a user in a job description unless it is needed for some specific reason (such as an autostart job) and you tightly control access to it.

USER Parameter and Interactive Jobs

The job description to be used is defined on the Add Work Station Entry (ADDWSE) command. The default is to use the job description in the user profile. If USER(*RQD) is specified in the job description, the user must enter a user name. If USER(xxxx) is specified (where xxxx is a specific user profile name), the user is allowed to press the Enter key on the signon display and operate under the xxxx user profile name, unless the security level is 40 or higher.

USER Parameter and Batch Jobs

The job description used for batch jobs is specified on the Submit Job (SBMJOB) or Batch Job (BCHJOB) command.

If an input stream is entered that contains the BCHJOB command, the user entering one of the Start Reader commands ( STRDBRDR, STRDKTRDR) or one of the Submit Job commands (SBMDBJOB, SBMDKTJOB, and so on.) must have object operational authority (*OBJOPR) to the job description that is specified. When an input stream is used, jobs always operate under the user profile of the job description and not of the user who is placing the jobs on the job queue. If USR(*RQD) is specified in the job description, it is invalid to use the job description on a BCHJOB command.

If a SBMJOB command is used, the command defaults so that the batch job operates under the user profile name of the submitter. However, if USER(*JOBD) is specified on the SBMJOB command, the job operates under the name specified in the USER parameter of the job description.

Frequently a specific name in the job description is required to let users submit work for a specific user profile. For example, the QBATCH job description is shipped with USER(QPGMR) to allow this. To avoid any security exposure, do not authorize this type of job description to *PUBLIC.