I'm saying to use surrogates. I did the same for SMP jobs back when it required UID(0). I didn't want to give myself more privileges than I had to.
I had RACF SPECIAL and a free hand as long as I sent an e-mail explaining, but I believe in the principle of least privileges. Even Jove nods. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Colin Paice <[email protected]> Sent: Thursday, June 12, 2025 11:47 AM To: [email protected] <[email protected]> Subject: Re: STC Userids External Message: Use Caution Seymour, You said *I would go further and say that most production jobs should run under PROTECTED userids. But then, I'm paranoid and don't even trust myself.* Are you saying most production jobs should be run as started tasks, or there is a clever way of submitting a job which runs under a protected userid, perhaps with a surrogate userid? Colin On Thu, 12 Jun 2025 at 12:50, Seymour J Metz <[email protected]> wrote: > I would go further and say that most production jobs should run uunder > PROTECTED userids. But then, I'm paranoid and don't even trust myself. > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > עַם יִשְׂרָאֵל חַי > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר > > > > > ________________________________________ > From: IBM Mainframe Discussion List <[email protected]> on behalf > of Robert S. Hansel <[email protected]> > Sent: Thursday, June 12, 2025 6:39 AM > To: [email protected] <[email protected]> > Subject: Re: STC Userids > > > External Message: Use Caution > > > Roberto, > > As others have pointed out, Started Task IDs with passwords could be > become revoked due to bad password entry or inactivity. Note that even if > its ID is revoked or the password is expired, a Started Task will still > start. This is a safety feature to prevent accidental or intentional denial > of service. However, if a Started Task with a revoked ID submits a job, the > job will fail due to the ID being revoked. > > Also of concern is that Help Desk staff could reset the password of a > Started Task ID and then log on with the ID to use whatever authority it > has, which is often considerable. RACF authorities that enable Help Desk > staff to reset passwords block them from resetting passwords on PROTECTED > IDs. > > Making Started Task IDs PROTECTED is considered to be a 'best practice" > and is probably a STIG and CIS requirement. The same is generally true for > production batch IDs. > > Regards, Bob > > Robert S. Hansel > Lead RACF Specialist > RSH Consulting, Inc. > 617-969-8211 > http://www.linkedin.com/in/roberthansel > > http://secure-web.cisco.com/1TVsUsRHSYX_FAuea9tsiCtW8lkSEapoTxD8_TierM3zE6QeP_g6e-r2d8MQG-swoJj9n7qKWCjDDolqxmvppjEIUdK0Sj_fZ4SkmqV8-p7gCIt4qjoNl87t9wrOBd-xbS1GHAEv9oCaCdTikcV8rxoqR04VCiEHyGv_ZTUX85fg769NlQqTmKEmvva-PXfqCKLEqR62LYIIX7ohzvwB3vP6isW2fq9BYpQGQkxKilpIg5moxFe3jCI76wvwtXUU6GbCnxS-Brc4-Xc6BNbp4moQgONaGgy1ADbNIfcUJKtYQDaFtg4t4f0C_mogSf6_cGJFAF-UfO2YSYmuW6jEdbs3qKpt_PUO4xdcPly5wgvNRtw4ppFcxFG__PEhAFaUkaKnHFaVdYE_vAvQttiadUCJ1t7Skx4zjs8PWsmIbPCI/http%3A%2F%2Fwww.rshconsulting.com > > -----Original Message----- > Date: Wed, 11 Jun 2025 09:05:33 -0400 > From: Roberto Halais <[email protected]> > Subject: STC Userids > > I would like some feedback on what would happen if we assign passwords to > the stcs in our z/OS environment. > At this moment the stcs have no passwords assigned to them. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
