Update authority to other ACID job output by ACID on NOTIFY
search cancel

Update authority to other ACID job output by ACID on NOTIFY

book

Article ID: 246497

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

With SDSF internal security, a user can process other users joblog when the user is specified on NOTIFY parameter.
Are there any ways to process same ways when SDSF security is migrated to TSS  ?

Case 1) USER2 can cancel/purge the joblog

1. USER1 runs a job with NOTIFY=USER2

//USER1 JOB ,'TESTUSER',NOTIFY=USER2

2. SDSF on USER2 

SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 294         
COMMAND INPUT ===>                                            SCROLL ===> PAGE 
NP   JOBNAME  TYPE  JNUM C OUTGRP MAX-RC     USER-NAME    NOTIFY  TOT-REC CRDAT
     USER1    JOB  10000 X 1      CC 0000    TESTUSER     USER2       198 07/22

3. Enter P to purge the job

SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 294             
COMMAND INPUT ===>                                            SCROLL ===> PAGE 
NP   JOBNAME  TYPE  JNUM C OUTGRP MAX-RC     USER-NAME    NOTIFY  TOT-REC CRDAT
P    USER1    JOB  10000 X 1      CC 0000    TESTUSER     USER2       198 07/22

4. COMMAND ISSUED 

SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 294             COMMAND ISSUED 
COMMAND INPUT ===>                                            SCROLL ===> PAGE 
NP   JOBNAME  TYPE  JNUM C OUTGRP MAX-RC     USER-NAME    NOTIFY  TOT-REC CRDAT
     USERA    JOB  10000 X 1      CC 0000                             198 07/22

5. The job is purged

SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 294             
COMMAND INPUT ===>                                            SCROLL ===> PAGE 
NP   JOBNAME  TYPE  JNUM C OUTGRP MAX-RC     USER-NAME    NOTIFY  TOT-REC CRDAT

 

EX 2) USER2 can't cancel/purge the joblog when NOTIFY is not USER2

1. USER1 runs a job with NOTIFY=USER1

//USER1 JOB ,'TESTUSER',NOTIFY=USER1

2. Enter P to purge the job

SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 294             
COMMAND INPUT ===>                                            SCROLL ===> PAGE 
NP   JOBNAME  TYPE  JNUM C OUTGRP MAX-RC     USER-NAME    NOTIFY  TOT-REC CRDAT
P    USER1    JOB  10000 X 1      CC 0000    TESTUSER     USER1       198 07/22

3. NOT AUTHORIZED FOR JOB

SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 294          NOT AUTHORIZED FOR JOB
COMMAND INPUT ===>                                            SCROLL ===> PAGE 
NP   JOBNAME  TYPE  JNUM C OUTGRP MAX-RC     USER-NAME    NOTIFY  TOT-REC CRDAT
     USER1    JOB  10000 X 1      CC 0000    TESTUSER     USER1       198 07/22

Environment

Release : 16.0

Component : Top Secret for z/OS

Resolution

Regardless of the content of the NOTIFY specification, SDSF requests security verification in the following format ;

    JESSPOOL ( local-nodename.userid.jobname.jobid.dsidentifier.name )

There are no ways for SAF products to see who is a user to be specified on NOTIFY.

Additional Information

As an alternative to NOTIFY, specify " /*ROUTE PRINT userid " to allow the specified user to access JESSPOOL resources.

Ex : USER001 can access ADMIN01V JESSPOOL

//ADMIN01V JOB (113100000),                         
//         'ADMIN01 TOKYO',CLASS=A,MSGCLASS=X,  
//        NOTIFY=&SYSUID,MSGLEVEL=(1,1)            
//*                                                 
/*ROUTE PRINT USER001                                            
//*                                                 
//BR14   EXEC PGM=IEFBR14                           
//DD1      DD  DUMMY                                
//  

 

Powered by Wolken Software