What is the use of PGM, RESTRICT, and SUBAUTH in CA ACF2 logonids?
Article ID: 27276
Updated On:
Products
Issue/Introduction
This knowledge document provides details on the restrictions involved with using PGM and SUBAUTH with a RESTRICT logonid
Environment
Component: ACF2MS
Resolution
RESTRICT specifies that the logonid is intended for production batch use (not for online or STC use) and does not require a password. By itself, this privilege makes a logonid vulnerable to unauthorized use, and is not suitable for production work (but could be used for a batch default logonid with limited read/write/alloc access).
Note: To secure un-authorized use of a logonid with the RESTRICT privilege it is recommended to utilize the PROGRAM, SUBAUTH or SOURCE logonid parameters to restrict/protect the usage of the logonid with RESTRICT.
PROGRAM( pgm_name) specifies that this logonid can only be used when JOBS are submitted by this program. This privilege adds more restriction for the use of the logonid, but is still somewhat vulnerable in that this program does not have to be authorized.
SUBAUTH specifies that this logonid can only used when JOBS are submitted by an authorized program. Note that by authorized program we mean that it resides in an APF authorized library and the program was link-edited with SETCODE AC(1). This provides for a much more secure environment since sites have full control of what libraries can be APF authorized, and who can update those libraries.
SOURCE Specifies the one- to eight-character logical or physical input source name or source group name from which a user must access the system.
Examples:
| Batch Logonid: | Privileges: |
| TSTBAT | RESTRICT |
| TSTBAT1 | RESTRICT, PGM( pgm_name ) |
| TSTBAT2 | RESTRICT, PGM( pgm_name ), SUBAUTH |
| TSTBAT3 | RESTRICT, SUBAUTH |
(Note: batch logonids also need the JOB privilege if the GSO OPTS record specifies JOBCK. The Restricted Logonid Job Log, ACFRPTJL, provides the submitting program name and identifies if the program is authorized for all system accesses by logonids with the RESTRICT privilege.)
Test scenario 1:
Submit a test job that uses the batch logonid (TSTBAT#) directly from TSO (PGM=IKJEFF04)
| Batch logonid: | Results: |
| TSTBAT | runs OK, there are no program or authorization restrictions |
| TSTBAT1 | fails with ACF01009, when pgm_name is not IKJEFF04 |
| TSTBAT2/TSTBAT3 | fails with ACF01008, the submitting program is not authorized |
Test scenario 2:
Submit a test job with the batch logonid (TSTBAT#) where the submitting program is pgm_name residing in an unauthorized user library and/or pgm_name is not linked as AC(1)
| Batch logonid: | Results: |
| TSTBAT | runs OK, there are no program or authorization restrictions |
| TSTBAT1 | runs OK, the submitting program matches pgm_name |
| TSTBAT2 | fails with ACF01008, the submitting program matches pgm_name, but is not authorized |
| TSTBAT3 | fails with ACF01008, the submitting program is not authorized |
Test scenario 3:
submit a test job with the batch logonid (TSTBAT#) where the submitting program is pgm_name residing in an authorized user library and pgm_name is linked as AC(1)
| Batch logonid: | Results: |
| TSTBAT |
runs OK, there are no program or authorization restrictions |
| TSTBAT1 | runs OK, the submitting program matches pgm_name |
| TSTBAT2 | runs OK, the submitting program matches pgm_name and is authorized |
| TSTBAT3 |
runs OK, the submitting program is authorized (Note that any authorized program can submit a job that uses this logonid) |
Additional Information
Note that enhancement PTF LU05334 adds functionality to further secure the RESTRICT logonid by allowing SURROGAT class rules to be used for these ids.
Feedback
