Allow a userid to submit a batch job with a different userid and no password with ACF2
search cancel

Allow a userid to submit a batch job with a different userid and no password with ACF2

book

Article ID: 141597

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

On a system running ACF2, how can a batch job be submitted by a logged-on user but ran with a different user without having to specify a password on the job card? i.e. just USER=

What is the RESTRICT attribute on the logonid?

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

RESTRICT specifies that the logonid is intended for production batch use (not for online or STC use) and does not require a password. By itself, this privilege makes a logonid vulnerable to unauthorized use, and is not suitable for production work (but could be used for a batch default logonid with limited read/write/alloc access). 

To set up the use of RESTRICT, the logonid used for the USER= or //*LOGONID must have the RESTRICT attribute. Use the following commands

Set LID
CHANGE lid RESTRICT

When CA ACF2 reads the restricted logonid it will validate the access by the restricted logonid and create a logging record. The ACFRPTJL report displays a log of all system accesses by logonids with the RESTRICT field.

For example, if I have a logonid ABCDE123 with the RESTRICT attribute and I mention USER=ABCDE123 it will execute;

12.06.10 JOB06069 ---- MONDAY,    25 NOV 2019 ----                             
12.06.10 JOB06069  $HASP373 MYID1234A STARTED - INIT 1    - CLASS A        - SYS
12.06.10 JOB06069  ACF9CCCD USERID ABCDE123 IS ASSIGNED TO THIS JOB - MYID1234A 
12.06.10 JOB06069  IEF403I MYID1234A - STARTED - TIME=12.06.10                  
12.06.10 JOB06069  IEF404I MYID1234A - ENDED - TIME=12.06.10                    
12.06.10 JOB06069  $HASP395 MYID1234A ENDED - RC=0000    

However, when I submit the same job with a logonid ABCDE124 that does not have the RESTRICT attrubte it will receieve error  'ACF01007 A PASSWORD IS REQUIRED FOR LOGONID ABCDE124 xxxxxx' and not execute:

//MYID1234A JOB  (11830000),'OS/MVS',MSGCLASS=X,MSGLEVEL=(1,1),         
//         NOTIFY=MYID1234,TIME=1439,CLASS=A,USER=ABCDE124               
//* ACF01007 A PASSWORD IS REQUIRED FOR LOGONID ABCDE124 xxxxxx       
//      EXEC PGM=IEFBR14                                               
/*                                                                     
$HASP106 JOB DELETED BY JES2 OR CANCELLED BY OPERATOR BEFORE EXECUTION  

 

Additional Information

Note that enhancement PTF LU05334 adds functionality to further secure the RESTRICT logonid by allowing SURROGAT class rules to be used for these ids.