How can unauthorized SARBCH and SARINIT usage be controlled?
Article ID: 36605
Updated On:
Products
Issue/Introduction
Issue:
User is able to access confidential reports running a batch job but is not defined to the CA View database. User run SARBCH pgm to load reports to a dataset. The SARINIT setting for SECURITY=LOGON. User is not defined with any Dist id. How can we stop user from seeing the reports?
Resolution
SARATHUX - Database Utility Exit
- Controls access to database utility functions SARDBASE, SARINIT, SARBCH
- The default exit(SARATHUX)allows access to all utility functions
- You must install SARATHU1 to activate security for database utility functions such as who is allowed to run SARBCH in batch mode.
- The exit allows for Class/Resource modification before the RACROUT call.
- The exit is always called regardless of the SECURITY setting.
External Security CLASS (CHA1VIEW)
Standard resource name (DBAS.db high level qualifier)
Access Level (Read, Update, Control, Alter)
Return Codes:
0 Exit has granted access - Do not call External Security
4 Exit has denied access - Do not call External Security
8 CA-View should determine access based on the SECURITY parameter
Since you are using Security=Logon, only rules pertaining to who can logon to CA View are checked. No rules are checked about authority to run batch jobs.
To protect against unauthorized running of SARBCH or SARINIT :
- If using the SARATHUX exit only:
- code a check in the exit to determines if userid is one who should not access the CA View reports.
- If the userid is not allowed access, return a Return Code of 4
- If using external security,
- the exit will have to set a Return Code of 8
- CA View will check with your external security package for the level of access for this userid
Additional Information:
As always, please contact CA Technologies support for CA View if you have further questions.
Feedback
