This topic comes up from time to time at my shop. We have allowed it in the past, but we try to steer away from any new development with submitting batch jobs from a region.
The security implications are extremely broad. If you're using a generic CICS plan exit for DB2 that is defined to use the region userid as plan authorization, then the region userid has update access to every DB2 table that is updated by a CICS transaction. If a user submits a QMF or Spufi job under the region userid, then they can read your DB2 tables. Or even worse, update them. The region userid will may also have update access to system datasets. It will definitely have read access to system datasets (although it may be limited to CICS specific HLQs). I would only allow the region to submit jobs under a different user. Thank you, Brian Chapman On Thu, Sep 5, 2019 at 1:59 PM Seymour J Metz <[email protected]> wrote: > <https://www.oed.com/view/Entry/246938> > > But there are some good auditors, and if you're lucky enough to have them > they're your natural allies. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > ________________________________________ > From: IBM Mainframe Discussion List <[email protected]> on behalf > of John McKown <[email protected]> > Sent: Thursday, September 5, 2019 1:49 PM > To: [email protected] > Subject: Re: Submitting batch if you don't have TSO > > On Thu, Sep 5, 2019 at 12:38 PM Seymour J Metz <[email protected]> wrote: > > > There's no way that adding a RACF segment would reduce the exposure. > They > > need to close the loophole. I'm cheering for the auditor, assuming that > > he's not brain dead. > > > > Most auditors that I've had to work with are absymally ignorant of z/OS, or > anything other than Windows. Except one in the past, pre-Windows, who was > an idiot. He wanted an explanation of every possible exit in MVS and every > installed product on MVS and what could be done using them. {shudder} > > > > > > > > > -- > > Shmuel (Seymour J.) Metz > > http://mason.gmu.edu/~smetz3 > > > > -- > I find television very educational. The minute somebody turns it on, I go > into the library and read a good book > -- Groucho Marx > > Maranatha! <>< > John McKown > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
