I am running CA Auditor function 0.6.1 to create skeleton JCL used in the Baseline automatic batch job submission processing. How would I define the ACF2 logonid to be used in skeleton JCL without a password?

Document ID : KB000024014
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

 

I am running CA Auditor function 0.6.1 to create skeleton JCL used in the Baseline automatic batch job submission processing. How would I define the ACF2 logonid to be used in skeleton JCL without a password?

Answer:  

The JCL control member(skeleton JCL) that is generated by function 0.6.1 must provide a jobcard which conforms to site standards and should specify a USER= logonid for the logonid that the EXAMBASE proc will run under. For sites using ACF2 as the external security manager this logonid can be defined with the ACF2 logonid RESTRICT privilege. An ACF2 restricted logonid does not require a password for user verification.

When setting up the Auditor Baseline function to automatically detect audit worthy changes to the system, function 0.6.1 is run to create the JCL control member to be used in CA Auditor's automatic batch job submission processing. This JCL control member specifies the logonid that the batch processing JCL will run under in the "USER=" parameter of the JOBCARD. Sites may want to specify a logonid that does not require a password to avoid the security risks associated with specifying a clear text password in a JCL member. 


Sites that use ACF2 as the External Security Manager(ESM) can create a logonid with the RESTRICT privilege that does not require a password for user verification. CA ACF2 logs all jobs submitted by restricted logonids, except for jobs submitted by those jobs.

To prevent unauthorized use of an ACF2 logonid with the RESTRICT privilege, ACF2 logonid restrictions such as PROGRAM, SOURCE and SUBAUTH can be used. These logonid fields are used as follows.

PROGRAM(program): Specifies a one- to eight-character program name or name mask. The specified program must be used to submit jobs for this logonid; if the logonid has SUBAUTH, this program must be APF-authorized.

SOURCE(sourceid): Specifies the one- to eight-character logical or physical input source name or source group name from which a user must access the system.

SUBAUTH|NOSUBAUTH: Indicates that jobs that specify this logonid can be submitted only through APF-authorized programs.

For CA Auditor batch processing the ACF2 restrictions that can be specified for the logonid are SOURCE(STCINRDR), PROGRAM(LTDATJST), and SUBAUTH.

Additional Information:

Details on the ACF2 RESTRICT, PROGRAM, SUBAUTH and SOURCE logonid fields can be found in the CA ACF2 for z/OS  Security for z/OS Administrator, Guide Chapter 3: Maintaining Logonid Records, section "Logonid Record Fields".


Details on CA Auditor Baseline processing can be found in the CA Examine Auditing Technical Reference Guide in Chapter 13: Baseline Alerts and Maintenance.