ACF2 NJE logonid Inheritance question
search cancel

ACF2 NJE logonid Inheritance question

book

Article ID: 250736

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

Does INHERIT coded in GSO OPTS record, inherits USER ID only, when a job is submitted via NJE? or does it inherit the ID privileges also from the submitter node? Does it also inherit the ACF2 access and resource rules?

                              

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

The GSO NJE DFTLID(defaultlid) specifies the default logonid to be used for jobs that come from the remote node when no logonid can be associated with the job. 

If a default logonid is required(VALIN(YES)) but DFTLID is not specified in the NJE record, ACF2 substitutes the default logonid that is specified in the DFTLID field of the GSO OPTS record. If the default logonid is not specified in the OPTS record, the job fails validation.

The GSO NJE INHERIT|NOINHERIT specifies that the node accepts network job inheritance. A job sent to this node inherits the logonid of the user who submitted the job. When inheriting the Submitter's ID, an INFO call is done to ensure the ID exists on the Local Database and is valid (not suspended/expired).  No password is required for an INFO call. The logonid is inherited from the sending node however the access on the receiving node is based on the logonid's privileges  and the access and resource rules defined on the receiving node. If network job inheritance is permitted, different authorization (possibly including higher privileges than intended) can be granted to the job. This could be due to the local logonid having a much higher authority than the same logonid defined at the sending node. For example if the logonid on the receiving node has NONON-CNCL and the logonid on the receiving node has NON-CNCL there will be different authorization and higher authorization for that logonid inherited on the receiving node.  Inheritance implies some level of trust in the Sending Node.  

If the receiving node has VALIN(YES), a full validation will be done with ACF2 looking for the logonid in the JCL. If there is no id found in the JCL the Submitter's ID from the NJE Header is used. 

VALIN(ONLY) anticipates that a logonid/password validation was done at the submitting node.  An indicator is set by ACF2 in the ACF2 NJE header so it is available for interrogation at the receiving node.  The validation would have been done at the submitting node if it was using an ACF2 NJE record that specified VALOUT(YES).  If the indicator is not set, the receiving node will do the validation.