If I specify FILE=JES on an FTP PUT statement, I can FTP a batch job into JES and have it run under my FTP userid. This id has no special attributes. How can I restrict who can submit a batch job via FTP?

Document ID : KB000032016
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

Users can specify FILE=JES with an FTP PUT statement allowing this into the system in batch.  This needs to be restricted so users cannot do that without permission.  How can this be done?

Resolution:

JES under z/OS will make a SAF call under the class of JESJOBS when batch jobs enter the reader.  This is done for all batch jobs, not just FTP.  By default, CA ACF2 will ignore these SAF calls due to an internal SAFDEF record.  From a SHOW SAFDEF command, this is the SAFDEF record:

JESJOBS  JOBNAME=********   USERID=********   PROGRAM=********   RB=********
         RETCODE=4          SAFDEF=INTERNAL   MODE=IGNORE        SUBSYS=ACF2
         FUNCRET=4          FUNCRSN=0                                       
                                                                            
         RACROUTE REQUEST=AUTH,CLASS='JESJOBS'                              

To prevent these jobs from being run, you must define your own SAFDEF record to have CA ACF2 validate the entities when the class is JESJOBS. The problem is that there is nothing unique in the SAF call to indicate the job came from FTP so it is not possible to define a SAFDEF that would be limited to jobs being submitted from FTP. All submissions, including those from TSO, etc, would be validated. The ENTITYX for these JESJOBS validations is formatted as SUBMIT.node.jobname.userid.  By default, CLASMAP points JESJOBS to type SAF.  Standard ACF2 resource rule writing applies.  A sample rule would look like this:

$KEY(SUBMIT) TYPE(SAF)

node.jobname.userid UID(uid string) ALLOW

If you want to use a different type code, you will need to insert a CLASMAP record.  A sample would look like this:

INSERT CLASMAP.JJOBS RESOURCE(JESJOBS)

After the rules are in place, override the SAFDEF record.  Here is a sample:

INSERT SAFDEF.JJOBS ID(JJOBS) RACROUTE(REQUEST=AUTH,CLASS=JESJOBS)

and then refresh the GSO records just inserted.

F ACF2,REFRESH(CLASMAP)

F ACF2,REFRESH(SAFDEF)

Other validations that happen under JESJOBS are the following:

    HOLD.node.userid.jobname
    RELEASE.node.userid.jobname
    CANCEL.node.userid.jobname

With z/OS 2.1, IBM added controls in JESJOBS to protect the JOBCLASS also.  See the current CA ACF2 Administrators Guide, section titled "JESJOBS Controlling Access to JOBCLASS" for more information.