89 lines
6.6 KiB
HTML
89 lines
6.6 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Job descriptions and security" />
|
|
<meta name="abstract" content="Every job in the system uses a job description during job initiation. This controls the various attributes of a job. The USER parameter controls the name of the user profile assigned to the job. A job description that has a user profile name (USER) specified should be authorized only to specific individuals. If not, at security level 30 and below, other users will be able to submit jobs to run under that user profile." />
|
|
<meta name="description" content="Every job in the system uses a job description during job initiation. This controls the various attributes of a job. The USER parameter controls the name of the user profile assigned to the job. A job description that has a user profile name (USER) specified should be authorized only to specific individuals. If not, at security level 30 and below, other users will be able to submit jobs to run under that user profile." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzaksjobcharacter.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2004-2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004-2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzaksjobdescnsecurity" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Job descriptions and security</title>
|
|
</head>
|
|
<body id="rzaksjobdescnsecurity"><a name="rzaksjobdescnsecurity"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Job descriptions and security</h1>
|
|
<div><p>Every job in the system uses a job description during job initiation.
|
|
This controls the various attributes of a job. The USER parameter controls
|
|
the name of the user profile assigned to the job. A job description that has
|
|
a user profile name (USER) specified should be authorized only to specific
|
|
individuals. If not, at security level 30 and below, other users will be able
|
|
to submit jobs to run under that user profile.</p>
|
|
<div class="p">For example, consider <blockquote><pre>CRTJOBD JOBD(XX) USER(JONES) . . . AUT(*USE)</pre>
|
|
</blockquote>
|
|
This
|
|
example has security risks because any user can submit a job using the XX
|
|
job description, and be authorized to whatever JONES is authorized to. If
|
|
this type of job description is used on a workstation entry, it allows anyone
|
|
to sign on as that user just by pressing the Enter key. To avoid any security
|
|
exposure, do not authorize this type of job description to *PUBLIC.</div>
|
|
<div class="note"><span class="notetitle">Note:</span> At security level 40 and 50, the Submit Job (<span class="cmdname">SBMJOB</span>)
|
|
command requires the submitter to be authorized (*USE) to the user profile
|
|
named in the job description. This assumes that the <span class="cmdname">SBMJOB</span> specifies
|
|
user (*JOBD). Nevertheless, avoid specifying a user in a job description unless
|
|
it is needed for some specific reason (such as an autostart job) and you tightly
|
|
control access to it. </div>
|
|
<div class="section"><h4 class="sectiontitle">USER Parameter and Interactive Jobs</h4><p>The job description
|
|
to be used is defined on the Add Work Station Entry (<span class="cmdname">ADDWSE</span>)
|
|
command. The default is to use the job description in the user profile. If
|
|
USER(*RQD) is specified in the job description, the user must enter a user
|
|
name. If USER(xxxx) is specified (where xxxx is a specific user profile name),
|
|
the user is allowed to press the Enter key on the signon display and operate
|
|
under the xxxx user profile name, unless the security level is 40 or higher.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">USER Parameter and Batch Jobs</h4><p>The job description
|
|
used for batch jobs is specified on the Submit Job (<span class="cmdname">SBMJOB</span>)
|
|
or Batch Job (<span class="cmdname">BCHJOB</span>) command.</p>
|
|
<p>If an input stream
|
|
is entered that contains the BCHJOB command, the user entering one of the
|
|
Start Reader commands ( <span class="cmdname">STRDBRDR</span>, <span class="cmdname">STRDKTRDR</span>)
|
|
or one of the Submit Job commands (<span class="cmdname">SBMDBJOB</span>, <span class="cmdname">SBMDKTJOB</span>,
|
|
and so on.) must have object operational authority (*OBJOPR) to the job description
|
|
that is specified. When an input stream is used, jobs always operate under
|
|
the user profile of the job description and not of the user who is placing
|
|
the jobs on the job queue. If USR(*RQD) is specified in the job description,
|
|
it is invalid to use the job description on a <span class="cmdname">BCHJOB</span> command.</p>
|
|
<p>If
|
|
a <span class="cmdname">SBMJOB</span> command is used, the command defaults so that
|
|
the batch job operates under the user profile name of the submitter. However,
|
|
if USER(*JOBD) is specified on the <span class="cmdname">SBMJOB</span> command, the
|
|
job operates under the name specified in the USER parameter of the job description. </p>
|
|
<p>Frequently
|
|
a specific name in the job description is required to let users submit work
|
|
for a specific user profile. For example, the QBATCH job description is shipped
|
|
with USER(QPGMR) to allow this. To avoid any security exposure, do not authorize
|
|
this type of job description to *PUBLIC.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaksjobcharacter.htm" title="Work management provides a way for you to control the work done on your system through a job's attributes. However, before you can control the various aspects of a job, you need to understand the different characteristics of a job.">Job characteristics</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |