Using PGM, SUBAUTH and SOURCE with ACF2 RESTRICT logonids
Article ID: 27276
Updated On:
Products
Issue/Introduction
This knowledge document describes the logonid field options that limit how an ACF2 RESTRICT logonid can be used.
Resolution
RESTRICT specifies that the logonid is intended for production batch use (not for online or STC use) and does not require a password. By itself, this privilege makes a logonid vulnerable to unauthorized use, and is not suitable for production work (but could be used for a batch default logonid with limited READ/WRITE/ALLOC access).
To secure un-authorized use of a logonid with the RESTRICT privilege it is recommended to utilize the PROGRAM, SUBAUTH or SOURCE logonid parameters to restrict/protect the usage of the logonid with RESTRICT. In addition to logonid fields, ACF2 R16 PTF LU05334 adds functionality to further secure the RESTRICT logonid by allowing SURROGAT class rules to be used for these ids. For more information on using SURROGAT class rules, please see ACF2 Surrogate logonid usage with RESTRICT
Logonid fields that impact use of a RESTRICT logonid
PROGRAM(program) specifies that this logonid can only be used when JOBS are submitted by this program. This privilege adds more restriction for the use of the logonid, but is still somewhat vulnerable in that this program does not have to be authorized.
SUBAUTH specifies that this logonid can only used when JOBS are submitted by an authorized program. Note that an authorized program must reside in an APF authorized library and the program must be link-edited with SETCODE AC(1). This provides for a much more secure environment since sites have full control of what libraries can be APF authorized and who can update those libraries.
SOURCE(sourceid) Specifies the one- to eight-character logical or physical input source name or source group name from which a user must access the system.
Example scenarios using PROGRAM and SUBAUTH
| Batch Logonid: | Privileges: |
| TSTBAT | RESTRICT |
| TSTBAT1 | RESTRICT, PGM( pgm_name ) |
| TSTBAT2 | RESTRICT, PGM( pgm_name ), SUBAUTH |
| TSTBAT3 | RESTRICT, SUBAUTH |
Note: Batch logonids also need the JOB privilege if the GSO OPTS record specifies JOBCK. The Restricted Logonid Job Log, ACFRPTJL, provides the submitting program name and identifies if the program is authorized for all system accesses by logonids with the RESTRICT privilege.
Test Scenario 1
Submit a test job that uses the batch logonid (TSTBAT#) directly from TSO (PGM=IKJEFF04)
| Batch logonid: | Results: |
| TSTBAT | runs OK, there are no program or authorization restrictions |
| TSTBAT1 | fails with ACF01009, when pgm_name is not IKJEFF04 |
| TSTBAT2/TSTBAT3 | fails with ACF01008, the submitting program is not authorized |
Test Scenario 2
Submit a test job with the batch logonid (TSTBAT#) where the submitting program is pgm_name residing in an unauthorized user library and/or pgm_name is not linked as AC(1)
| Batch logonid: | Results: |
| TSTBAT | runs OK, there are no program or authorization restrictions |
| TSTBAT1 | runs OK, the submitting program matches pgm_name |
| TSTBAT2 | fails with ACF01008, the submitting program matches pgm_name, but is not authorized |
| TSTBAT3 | fails with ACF01008, the submitting program is not authorized |
Test Scenario 3
submit a test job with the batch logonid (TSTBAT#) where the submitting program is pgm_name residing in an authorized user library and pgm_name is linked as AC(1)
| Batch logonid: | Results: |
| TSTBAT |
runs OK, there are no program or authorization restrictions |
| TSTBAT1 | runs OK, the submitting program matches pgm_name |
| TSTBAT2 | runs OK, the submitting program matches pgm_name and is authorized |
| TSTBAT3 |
runs OK, the submitting program is authorized (Note that any authorized program can submit a job that uses this logonid) |
Feedback
