ACF2 Surrogate logonid usage with RESTRICT
Article ID: 239818
Updated On:
Products
Issue/Introduction
Does the surrogate rule work for an ID with the restrict attribute?
Environment
Release : 16.0
Component : ACF2 for z/OS
Resolution
The control over a restrict logonid is controlled by the options defined in the logonid record.
SUBAUTH PROGRAM AND SOURCE.
When submitting a restrict logonid there is generally no surrogat processing involved - except
for sites that have lu05334 applied.
The description of this ptf is as follows..
CHECK SUBMITTER OF JOB USING RESTRICT ID FOR SURROGAT ACCESS
ENHANCEMENT DESCRIPTION:
When the execution logonid of a batch job has the RESTRICT attribute,
the userid.SUBMIT rule in class SURROGAT is not checked against the
job submitter. With this enhancement, it will be checked when the
RESTRICT lid has access to resource RESTRICT.CHECK.SURROGAT in
class CASECAUT.
Example resource rule:
$KEY(RESTRICT) TYPE(AUT)
CHECK.SURROGAT UID(uid_of_execution_lid) ALLOW
- uid_of_execution_lid is the UID string of the execution logonid
that has the RESTRICT attribute.
All rules in class SURROGAT and the RESTRICT.CHECK.SURROGAT rule in
class CASECAUT do not allow access just because the logonid being
checked has SECURITY or NON-CNCL. ACF2 will still check the RESTRICT
Logonid's PROGRAM and SUBAUTH, if present, to make sure they are valid.
A new ACF2 message was added for this enhancement:
ACF01059
submitter_lid failed SURROGAT auth for RESTRICT logonid restrict_lid
Reason: submitter_lid is the job submitter's Logonid. restrict_lid is
the Logonid with the RESTRICT attribute which the job was intended to
run under. restrict_lid has access to resource RESTRICT.CHECK.SURROGAT
in class CASECAUT, which causes ACF2 to check submitter_lid for access
to resource restrict_lid.SUBMIT in class SURROGAT.
Example:
The new enhancement PTF LU05334 adds functionality to further secure the RESTRICT logonid by allowing SURROGAT class rules to be used for logonid with RESTRICT, so you can code R-SUR rules to control the use of logonid with the RESTRICT privilege.
For example, consider the following two logonids:
The logonid RESTLID has only RESTRICT and JOB privileges and no password:
RESTLID RESTLID RESTRICT LOGONID
COMPANY() DEPT() IDNUM() LEVEL() LOCATION() OLDLID()
OWNER() OWNTYPE() POSITION() PROJECT() SITE()
PRIVILEGES JOB RESTRICT
ACCESS ACC-CNT(7) ACC-DATE(09/01/22) ACC-SRCE(A28LO907)
ACC-TIME(09:44)
PASSWORD KERB-VIO(0) KERBCURV() PSWA1TOD(00/00/00-00:00)
PSWA2TOD(00/00/00-00:00) PSWD-DAT(00/00/00) PSWD-INV(0)
PSWD-TOD(00/00/00-00:00) PSWD-VIO(0) PSWDCVIO(0)
PWP-DATE(00/00/00) PWP-VIO(0)
TSO DFT-PFX(RESTLID)
STATISTICS CRE-TOD(09/01/22-09:26) SEC-VIO(0)
UPD-TOD(09/01/22-09:44)
RESTRICTIONS GROUP(DFTGRP) PREFIX(RESTLID)
The logonid USER001 has only TSO and JOB privileges and a password:
USER001 0219 USER001 USER
COMPANY(0) DEPT() IDNUM(DAS1) LEVEL(1) LOCATION(AAAA)
OLDLID() OWNER() OWNTYPE() POSITION() PROJECT(9) SITE(2)
CANCEL/SUSPEND CSDATE(09/13/21) CSWHO(BLAMI02) MON-LOG PP-TRC PP-TRCV
TRACE
PRIVILEGES JOB TSO
ACCESS ACC-CNT(879) ACC-DATE(09/01/22) ACC-SRCE(A28LO907)
ACC-TIME(09:29)
PASSWORD KERB-VIO(0) KERBCURV() LIDZMAX MAXDAYS(50)
PSWA1TOD(08/19/22-12:26) PSWA2TOD(00/00/00-00:00)
PSWD-DAT(00/00/00) PSWD-INV(0) PSWD-SRC(A28LO907)
PSWD-TIM(09:29) PSWD-TOD(08/19/22-12:26) PSWD-VIO(0)
PSWDCVIO(103) PWP-DATE(00/00/00) PWP-VIO(0)
TSO ALLCMDS ATTR2(9999) DFT-PFX(BLAMI02) DFT-SOUT(A)
DFT-SUBM(A) INTERCOM JCL LGN-ACCT LGN-PROC LGN-SIZE
LINE(ATTN) MAIL MODE MSGID NOTICES PROMPT
To secure the use of the RESTLID with RESTRICT so no logonids can submit a job with USER=RESTLID the following rule is coded:
$KEY(RESTRICT) TYPE(AUT)
CHECK.SURROGAT UID(*************RESTLID) ALLOW
If logonid USER001 logs on to TSO and submits the following job:
//ACFBATCH JOB 118100000,CLASS=A,NOTIFY=USER001,MSGCLASS=X,
// USER=RESTLID
//ACFBATCH EXEC PGM=IEFBR14
//SYSPRINT DD SYSOUT=*
/*
The job will fail with:
//ACFBATCH JOB 118100000,CLASS=A,NOTIFY=USER001,MSGCLASS=X, JOB06212
// USER=RESTLID 00012141
//* ACF01059 USER001 failed SURROGAT auth for RESTRICT logonid RESTLID MVSSYS8
//ACFBATCH EXEC PGM=IEFBR14 00013041
$HASP106 JOB DELETED BY JES2 OR CANCELLED BY OPERATOR BEFORE EXECUTION
To allow the RESTLID with RESTRICT to be used by USER001 the following SURROGAT rule
$KEY(RESTLID) TYPE(SUR)
SUBMIT UID(*************USER001) ALLOW
After the above SURROGAT rule is added, logonid USER001 can submit a job with USER=RESTLID:
09.58.24 JOB06215 ---- THURSDAY, 01 SEP 2022 ----
09.58.24 JOB06215 $HASP373 ACFBATCH STARTED - INIT 1 - CLASS A - SYS
09.58.24 JOB06215 ACF9CCCD USERID RESTLID IS ASSIGNED TO THIS JOB - ACFBATCH
09.58.24 JOB06215 IEF403I ACFBATCH - STARTED - TIME=09.58.24
09.58.24 JOB06215 IEF404I ACFBATCH - ENDED - TIME=09.58.24
09.58.24 JOB06215 $HASP395 ACFBATCH ENDED - RC=0000
In summary, to secure the use of a logonid with RESTRICT and prevent a security exposure without the use of logonid PROGRAM, SUBAUTH or SOURCE restrictions, the R(AUT) RESTRICT.CHECK.SURROGAT rule can be used to enforce the userid.SUBMIT check for the resource class SURROGAT.
Feedback
