ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaks_5.4.0.1/rzaksprestrtjobsecurity.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Security and prestart jobs" />
<meta name="abstract" content="When a prestart job starts, it runs under the prestart job user profile. When a program start request attaches to a prestart job, the prestart job user profile is replaced by the program start request user profile. When the prestart job is finished handling a program start request, the program start request user profile is replaced by the prestart job user profile. If there is a group profile associated with the user profile, the group profile is also exchanged." />
<meta name="description" content="When a prestart job starts, it runs under the prestart job user profile. When a program start request attaches to a prestart job, the prestart job user profile is replaced by the program start request user profile. When the prestart job is finished handling a program start request, the program start request user profile is replaced by the prestart job user profile. If there is a group profile associated with the user profile, the group profile is also exchanged." />
<meta name="DC.Relation" scheme="URI" content="rzaksprestarttype.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaksprestartjobname.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaksaboutprestartjobs.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaksprestartentry.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaksprestartjobtips.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaksprestjobspoolfile.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2004-2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004-2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaksprestrtjobsecurity" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Security and prestart jobs</title>
</head>
<body id="rzaksprestrtjobsecurity"><a name="rzaksprestrtjobsecurity"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Security and prestart jobs</h1>
<div><p>When a prestart job starts, it runs under the prestart job user
profile. When a program start request attaches to a prestart job, the prestart
job user profile is replaced by the program start request user profile. When
the prestart job is finished handling a program start request, the program
start request user profile is replaced by the prestart job user profile. If
there is a group profile associated with the user profile, the group profile
is also exchanged.</p>
<p>The exchange of the user profile is for authority checking only. None of
the other attributes associated with the user profile are exchanged. Libraries
on the library list to which the prestart job entry user profile is authorized
continue to be authorized to the prestart job when the program start request
user profile replaces the prestart job entry user profile. However, the library
list can be changed by the Change Library List (CHGLIBL) command.</p>
<div class="section"><h4 class="sectiontitle">Prestart job object authorization</h4><p>When a prestart
job starts, authority checking against the prestart job entry user profile
is performed on every object that is needed for starting a job. Before a program
start request is allowed to attach a prestart job, only the program start
request user profile/password and its authority to the communications devices
and library/program is checked. </p>
<p>To avoid occurrences where the program
start request user profile is not authorized to objects that the prestart
job entry user profile is authorized to, you must ensure that the program
start request user profile is authorized to at least as many objects as the
prestart job entry user profile. To accomplish this, the prestart job program
can be created by the prestart job entry user with USRPRF(*OWNER) specified
on the CRTxxxPGM (where xxx is the program language) command. The program
owner authority will automatically be transferred to any programs called by
the prestart job program. Otherwise, you may choose to explicitly check object
authorization (CHKOBJ) before referring to any objects.</p>
<p>Files and objects
that the prestart job user profile is not authorized to should be closed and
deallocated before the end of the transaction is performed on the requestor
device. If database files are left open in the prestart job, in order to guarantee
database security, the prestart job program must check the program start request
user profile authority to the open files.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaksprestarttype.htm" title="A prestart job is a batch job that starts running before a work request is received. The prestart jobs are started before any other types of jobs in a subsystem. Prestart jobs are different from other jobs because they use prestart job entries (part of the subsystem description) to determine which program, class, and storage pool to use when they are started.">Prestart jobs</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzaksprestartjobname.htm" title="The fully qualified three-part name of the prestart job never changes once a prestart job is started. The user name of the fully qualified three-part job name always contains the user profile under which the prestart job is started.">Prestart job name</a></div>
<div><a href="rzaksaboutprestartjobs.htm" title="A prestart job is a job that is started before the work arrives. This allows the system to handle a request for work without the delay caused by starting a new job.">How prestart jobs work</a></div>
<div><a href="rzaksprestartentry.htm" title="You define the prestart job by using a prestart job entry. A prestart job entry does not affect the device allocation or program start request assignment.">Prestart job entries</a></div>
<div><a href="rzaksprestartjobtips.htm" title="The prestart job should do as much work as possible before it attempts to acquire an ICF program device or accept a CPI Communications conversation. The more work it does initially (allocating objects, opening database files, and so on), the less it will need to do when a program start request is received, therefore giving the transaction faster response time. The following are some additional performance considerations when using prestart jobs:">Performance tips for prestart jobs</a></div>
<div><a href="rzaksprestjobspoolfile.htm" title="If a spool file is opened before a prestart job handles any program start request, the spool file is associated with the prestart job entry user profile; otherwise it is associated with the current program start request user profile.">Spooled file and the prestart job entry</a></div>
</div>
</div>
</body>
</html>