On Wed, 11 Sep 2019 12:15:11 -0500, Paul Gilmartin <paulgboul...@aim.com> wrote:
>As I follow this thread, I wonder why CICS doesn't submit batch jobs >with the credentials of the requesting individual rather than the CICS >region. Some of the IBM CICS designers over the years have wanted to allow that. The IBM z/OS Security and Integrity teams (in my time) strongly resisted that because with the design of CICS it's not safe. Yes, CICS verifies the user's identity with RACF (or other security product) but after that there are storage isolation issues in a multi-user environment such as a CICS region that make it impossible for the system to trust the user's identity sufficiently to allow it to propagate to another environment such as a batch job. Note that this is a fundamental issue with mult-user address spaces that run customer- or user-provided code, not just with CICS. It can be mitigated by vigilant and vigorous inspection of all the customer- and/or user-provided code that will run in the region. However, it can only be truly resolved by appropriate protection and isolation of both the control blocks that prove a user's identity and the transaction code. And, unfortunately, providing that isolation has performance implications and might require hardware changes. Those performance implications were considered unacceptable for a CICS environment. We had some interesting discussions over the years investigating potential CICS or z/OS software changes, possibly coupled with z hardware changes, that could allow protection and propagation of the user's identity safely, but none of them resulted in satisfactory solutions that would also maintain the required level of performance. -- Walt (former SAF and RACF Designer/Developer, for those who may not know) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN