Submitting a job on behalf of other user



JES, JES2, JCL utilities, IDCAMS, Compile & Run JCLs, PROCs etc...

Submitting a job on behalf of other user

Postby Sivapradeep » Tue May 08, 2012 9:05 pm

Hi,

I want to submit a JCL to get access on other user's datasets. for this i have used USER and PASS parameters of the other user's details in my jobcard. even then i'm getting not authorized messages.

find below the JCL that i'm submitting to get access on other user's dataset.

//MYJOB JOB ,,NOTIFY=&SYSUID,CLASS=D,MSGLEVEL=(1,1),MSGCLASS=X      -
// USER=TARGET,PASS=ABCD                                             
//DATSETPR EXEC PGM=IKJEFT01,DYNAMNBR=20,REGION=512K                   
//SYSTSPRT DD SYSOUT=*                                                 
//SYSTSIN  DD  *                                                       
  ADDSD 'TARGET.DB2.PDS' UACC(READ)                         
  PE  'TARGET.DB2.PDS' ID(MYJOB) ACCESS(READ)             
//                                                                     


My final requirement is to get read access on TARGET.DB2.PDS
what can be the solution for this ?

the error i'm getting for this JCL is
READY                                                             
  ADDSD 'TARGET.DB2.PDS' UACC(READ)                   
ICH09025I NOT AUTHORIZED TO RACF PROTECT E183904.DB2.DAY3.CICS.PDS
READY                                                             
  PE  'TARGET.DB2.PDS' ID(MYJOB) ACCESS(READ)       
ICH06004I TARGET.DB2.PDS NOT DEFINED TO RACF           
READY                                                             
END                                                               
Sivapradeep
 
Posts: 35
Joined: Mon Mar 26, 2012 2:09 pm
Has thanked: 1 time
Been thanked: 1 time

Re: Submitting a job on behalf of other user

Postby steve-myers » Tue May 08, 2012 9:22 pm

There are many problems here.
  • The syntax of your JOB JCL statement is incorrect, so the USER=xxx statement was ignored. The job was run under your ID.
  • It's PASSWORD=xxx, not PASS=xxx.
  • Your ADDSD statement is incorrect. You are creating what is known as a "discrete" profile. You want to create a generic profile by specifying GENERIC.
  • The ID parameter in the PERMIT command is a userid, not a job name. You also want to specify GENERIC if you altering a generic profile.
You are much better off going through your security people rather than exposing TARGET to being fired for revealing his password to you. They will do the profile correctly.
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: Submitting a job on behalf of other user

Postby Robert Sample » Tue May 08, 2012 9:30 pm

Many sites consider it a violation of their policies to do what you're attempting to do, and the penalties may range from mild up to termination of the employee. It is NEVER a good idea to attempt to avoid the site security group. Contact your site security group and have them give you proper access. This will help prevent the security auditor(s) from asking you LOTS of questions.
Robert Sample
Global moderator
 
Posts: 3720
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 279 times

Re: Submitting a job on behalf of other user

Postby dick scherrer » Wed May 09, 2012 12:40 am

Hello,

I want to submit a JCL to get access on other user's datasets
Why does someone believe this is acceptable? If your management wants you to have this capability, your management should request the security admins provide proper permissions. . .

Why is it ok for you to know someone else's password? Often this is grounds for one or both people to be disciplined or even terminated. It violates the security standards nearly everywhere.
Hope this helps,
d.sch.
User avatar
dick scherrer
Global moderator
 
Posts: 6268
Joined: Sat Jun 09, 2007 8:58 am
Has thanked: 3 times
Been thanked: 93 times

Re: Submitting a job on behalf of other user

Postby Ed Goodman » Wed May 09, 2012 7:12 pm

Maybe "TARGET" has been fired, and TS is trying to clean up their mess. Maybe TS went to security group and they just gave them the password and told them to do it this way.
Ed Goodman
 
Posts: 341
Joined: Thu Feb 24, 2011 12:05 am
Has thanked: 3 times
Been thanked: 17 times

Re: Submitting a job on behalf of other user

Postby steve-myers » Wed May 09, 2012 7:35 pm

Ed Goodman wrote:Maybe "TARGET" has been fired, and TS is trying to clean up their mess. Maybe TS went to security group and they just gave them the password and told them to do it this way.
Ed, that's a nice try, but it won't fly.
  • If TARGET has been fired, the ID will have been either revoked or completely deleted; that approach won't work.
  • If TARGET has been deleted, no one can create TARGET.xxx profiles.
  • Security will have cleaned up the mess, not some third party.
  • If security handed the TS TARGET's password to the TS, they are just as culpable as TARGET was, and they should be fired.
  • If the TS has TARGET's password, the TS should have logged onto to TSO and done it directly, not submitted a batch job.
  • If TARGET wanted to give the TS access, he could do it himself, not give the TS his password.
After thinking about the messages, I realized TARGET.TEST.PDS is an alias. The profile the TS proposed will not give him access.
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: Submitting a job on behalf of other user

Postby Sivapradeep » Thu May 10, 2012 12:02 am

Hi Steve.. I rectified those syntax errors and now its working pretty fine whatever I need..

For others... It's my mistake showing and asking only part of my code. I'm not violating any security issues here and not even cleaning up the mess done by TARGET!

I'll just give an overview the reason for doing like this.. I'm actually copying the contents of vsam into windows and creating an excel or showing in a browser. So the user enters his password and vsam name that has to be downloaded in Windows browser. Using MQ the password and filename reaches into mainframe and I have to execute a set of JCL REXX CObol prog that access his dataset from my address region. Since I don't have permission to view his datasets directly, I submit the above JCL to get read access and after finishing everything the access will b revoked. So there is no security violation since d during execution of prog only the access is there.

Hi scherrer.. the password is present In a variable that has dynamic data based on what user enters in Windows.

For the sake of simplicity I hardcoded the password and DSN name in the jcl. Both are dynamic in my tool.
Sivapradeep
 
Posts: 35
Joined: Mon Mar 26, 2012 2:09 pm
Has thanked: 1 time
Been thanked: 1 time

Re: Submitting a job on behalf of other user

Postby dick scherrer » Thu May 10, 2012 12:13 am

Thank you for the followup :)

d
User avatar
dick scherrer
Global moderator
 
Posts: 6268
Joined: Sat Jun 09, 2007 8:58 am
Has thanked: 3 times
Been thanked: 93 times

Re: Submitting a job on behalf of other user

Postby steve-myers » Thu May 10, 2012 2:29 am

Sivapradeep wrote:... So the user enters his password and vsam name that has to be downloaded in Windows browser ...
Was this scheme approved by security??? There are mechanisms in the security packages to handle this type of issue.

There are more issues here than meets the eye. For example, it appears the password is sent in the clear from the user's terminal to your application, and then in the JCL your application submits. This is not a good design. A better design has your application validating the alleged userid and password. This way the password, if sent in clear text from the user's terminal, can be discarded. You do not want clear text passwords hanging around in storage!

Your application can submit the job to retrieve the data using "surrogate" authority which allows it to submit the job with the USER=xxx JOB statement parameter without the password. "Surrogate" authority is normally used by job scheduling packages, but this is probably a valid use of it.
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: Submitting a job on behalf of other user

Postby Sivapradeep » Thu May 10, 2012 8:25 am

Hi Steve.. giving surrogate access to my tool might not be possible easily I guess from the admin team.
Instead I'll try to implement some encrypt algorithm using java at Windows and correspond decrypt algorithm in MF side.. this may eliminate the problem which u told about " clear password "
Sivapradeep
 
Posts: 35
Joined: Mon Mar 26, 2012 2:09 pm
Has thanked: 1 time
Been thanked: 1 time

Next

Return to JCL

 


  • Related topics
    Replies
    Views
    Last post