search cancel

ACF2 Surrogate logonid usage with RESTRICT

book

Article ID: 239818

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

Does the surrogate rule work for an ID with the restrict attribute?

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

The control over a restrict logonid is controlled by the options defined in the logonid record.
SUBAUTH PROGRAM AND SOURCE.
When submitting a restrict logonid there is generally no surrogat processing involved - except
for sites that have lu05334 applied.
The description of this ptf is as follows..

CHECK SUBMITTER OF JOB USING RESTRICT ID FOR SURROGAT ACCESS            
                                                                        
ENHANCEMENT DESCRIPTION:                                                
When the execution logonid of a batch job has the RESTRICT attribute,   
the userid.SUBMIT rule in class SURROGAT is not checked against the     
job submitter. With this enhancement, it will be checked when the       
RESTRICT lid has access to resource RESTRICT.CHECK.SURROGAT in          
class CASECAUT.                                                         
                                                                        
Example resource rule:                                                  
$KEY(RESTRICT) TYPE(AUT)                                                
CHECK.SURROGAT UID(uid_of_execution_lid) ALLOW                          
                                                                        
- uid_of_execution_lid is the UID string of the execution logonid       
that has the RESTRICT attribute.                                        
                                                                        
All rules in class SURROGAT and the RESTRICT.CHECK.SURROGAT rule in     
class CASECAUT do not allow access just because the logonid being       
checked has SECURITY or NON-CNCL. ACF2 will still check the RESTRICT    
Logonid's PROGRAM and SUBAUTH, if present, to make sure they are valid. 
                                                                        
A new ACF2 message was added for this enhancement:                      
                                                                        
ACF01059                                                                
submitter_lid failed SURROGAT auth for RESTRICT logonid restrict_lid    
                                                                        
Reason: submitter_lid is the job submitter's Logonid. restrict_lid is   
the Logonid with the RESTRICT attribute which the job was intended to   
run under. restrict_lid has access to resource RESTRICT.CHECK.SURROGAT  
in class CASECAUT, which causes ACF2 to check submitter_lid for access  
to resource restrict_lid.SUBMIT in class SURROGAT.                      

Example:

The new enhancement PTF LU05334 adds functionality to further secure the RESTRICT logonid by allowing SURROGAT class rules to be used for logonid with RESTRICT, so you can code R-SUR rules to control the use of logonid with the RESTRICT privilege.

For example, consider the following two logonids: 

The logonid RESTLID has only RESTRICT and JOB privileges and no password:

RESTLID                           RESTLID  RESTRICT LOGONID                  
                     COMPANY() DEPT() IDNUM() LEVEL() LOCATION() OLDLID()    
                     OWNER() OWNTYPE() POSITION() PROJECT() SITE()           
PRIVILEGES           JOB RESTRICT                                            
ACCESS               ACC-CNT(7) ACC-DATE(09/01/22) ACC-SRCE(A28LO907)        
                     ACC-TIME(09:44)                                         
PASSWORD             KERB-VIO(0) KERBCURV() PSWA1TOD(00/00/00-00:00)         
                     PSWA2TOD(00/00/00-00:00) PSWD-DAT(00/00/00) PSWD-INV(0)
                     PSWD-TOD(00/00/00-00:00) PSWD-VIO(0) PSWDCVIO(0)        
                     PWP-DATE(00/00/00) PWP-VIO(0)                           
TSO                  DFT-PFX(RESTLID)                                        
STATISTICS           CRE-TOD(09/01/22-09:26) SEC-VIO(0)                      
                     UPD-TOD(09/01/22-09:44)                                 
RESTRICTIONS         GROUP(DFTGRP) PREFIX(RESTLID)  

The logonid USER001 has only TSO and JOB privileges and a password:

USER001              0219         USER001  USER                            
                     COMPANY(0) DEPT() IDNUM(DAS1) LEVEL(1) LOCATION(AAAA)    
                     OLDLID() OWNER() OWNTYPE() POSITION() PROJECT(9) SITE(2)
CANCEL/SUSPEND       CSDATE(09/13/21) CSWHO(BLAMI02) MON-LOG PP-TRC PP-TRCV   
                     TRACE                                                    
PRIVILEGES           JOB TSO
ACCESS               ACC-CNT(879) ACC-DATE(09/01/22) ACC-SRCE(A28LO907)       
                     ACC-TIME(09:29)                                          
PASSWORD             KERB-VIO(0) KERBCURV() LIDZMAX MAXDAYS(50)               
                     PSWA1TOD(08/19/22-12:26) PSWA2TOD(00/00/00-00:00)        
                     PSWD-DAT(00/00/00) PSWD-INV(0) PSWD-SRC(A28LO907)        
                     PSWD-TIM(09:29) PSWD-TOD(08/19/22-12:26) PSWD-VIO(0)     
                     PSWDCVIO(103) PWP-DATE(00/00/00) PWP-VIO(0)              
TSO                  ALLCMDS ATTR2(9999) DFT-PFX(BLAMI02) DFT-SOUT(A)         
                     DFT-SUBM(A) INTERCOM JCL LGN-ACCT LGN-PROC LGN-SIZE      
                     LINE(ATTN) MAIL MODE MSGID NOTICES PROMPT     

To secure the use of the RESTLID with RESTRICT so no logonids can submit a job with USER=RESTLID the following rule is coded:

$KEY(RESTRICT) TYPE(AUT)                               
 CHECK.SURROGAT UID(*************RESTLID) ALLOW 

If logonid USER001 logs on to TSO and submits the following job:

//ACFBATCH JOB 118100000,CLASS=A,NOTIFY=USER001,MSGCLASS=X, 
//   USER=RESTLID                                           
//ACFBATCH EXEC PGM=IEFBR14                                 
//SYSPRINT DD SYSOUT=*                                      
/*                                                          

The job will fail with:

//ACFBATCH JOB 118100000,CLASS=A,NOTIFY=USER001,MSGCLASS=X,             JOB06212
//   USER=RESTLID                                                       00012141
//* ACF01059 USER001 failed SURROGAT auth for RESTRICT logonid RESTLID MVSSYS8  
//ACFBATCH EXEC PGM=IEFBR14                                             00013041
$HASP106 JOB DELETED BY JES2 OR CANCELLED BY OPERATOR BEFORE EXECUTION          

To allow the RESTLID with RESTRICT to be used by USER001 the following SURROGAT rule

$KEY(RESTLID) TYPE(SUR)                     
 SUBMIT UID(*************USER001) ALLOW     

After the above SURROGAT rule is added, logonid USER001 can submit a job with USER=RESTLID:

09.58.24 JOB06215 ---- THURSDAY,  01 SEP 2022 ----                              
09.58.24 JOB06215  $HASP373 ACFBATCH STARTED - INIT 1    - CLASS A        - SYS 
09.58.24 JOB06215  ACF9CCCD USERID RESTLID  IS ASSIGNED TO THIS JOB - ACFBATCH  
09.58.24 JOB06215  IEF403I ACFBATCH - STARTED - TIME=09.58.24                   
09.58.24 JOB06215  IEF404I ACFBATCH - ENDED - TIME=09.58.24                     
09.58.24 JOB06215  $HASP395 ACFBATCH ENDED - RC=0000               

In summary, to secure the use of a logonid with RESTRICT and prevent a security exposure without the use of logonid PROGRAM, SUBAUTH or SOURCE restrictions, the R(AUT) RESTRICT.CHECK.SURROGAT rule can be used to enforce the userid.SUBMIT check for the resource class SURROGAT.