How to restrict who can submit a batch job via FTP in ACF2
search cancel

How to restrict who can submit a batch job via FTP in ACF2

book

Article ID: 32016

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

Users can specify FILE=JES with an FTP PUT statement allowing this into the system in batch.  This needs to be restricted so users cannot do that without permission.  How can this be done?

Environment

Release:
Component: ACF2MS

Resolution

JES under z/OS will make a SAF call under the class of JESJOBS when batch jobs enter the reader.  This is done for all batch jobs, not just FTP.  By default, CA ACF2 will ignore these SAF calls due to an internal SAFDEF record.  From a SHOW SAFDEF command, this is the SAFDEF record:

JESJOBS  JOBNAME=********   USERID=********   PROGRAM=********   RB=********
         RETCODE=4          SAFDEF=INTERNAL   MODE=IGNORE        SUBSYS=ACF2
         FUNCRET=4          FUNCRSN=0                                       
                                                                            
         RACROUTE REQUEST=AUTH,CLASS='JESJOBS'                              

To prevent these jobs from being run, define your own SAFDEF record to have ACF2 validate the entities when the class is JESJOBS. The problem is that there is nothing unique in the SAF call to indicate the job came from FTP so it is not possible to define a SAFDEF that would be limited to jobs being submitted from FTP. All submissions, including those from TSO, etc, would be validated. The ENTITYX for these JESJOBS validations is formatted as SUBMIT.node.jobname.userid.  By default, CLASMAP points JESJOBS to type SAF.  Standard ACF2 resource rule writing applies.  A sample rule would look like this:

$KEY(SUBMIT) TYPE(SAF)
 node.jobname.userid UID(uid string) ALLOW

If a different type code is desired, insert a CLASMAP record.  A sample would look like this:

INSERT CLASMAP.JJOBS RESOURCE(JESJOBS)

After the rules are in place, override the SAFDEF record.  Here is a sample:

INSERT SAFDEF.JJOBS ID(JJOBS) RACROUTE(REQUEST=AUTH,CLASS=JESJOBS)

and then refresh the GSO records just inserted.

F ACF2,REFRESH(CLASMAP)

F ACF2,REFRESH(SAFDEF)

Other validations that happen under JESJOBS are the following:

    HOLD.node.userid.jobname
    RELEASE.node.userid.jobname
    CANCEL.node.userid.jobname

With z/OS 2.1, IBM added controls in JESJOBS to protect the JOBCLASS also.  See the current CA ACF2 Administrators Guide, section titled "JESJOBS Controlling Access to JOBCLASS" for more information.

Powered by Wolken Software