Question on security issue when executing a system command through the product region

Document ID : KB000031090
Last Modified Date : 14/02/2018
Show Technical Document Details

Question :

Is a MVS command submitted from a Netmaster or Solve region executed on behalf of the STC user or on behalf of the user submitting the system command ?


Solution :

A MVS command can be submitted from Netmaster or Solve region using SYSCMD command.

The MVS command submitted from a Netmaster or Solve region depends on the way the user submitting the command is identified. If the region is configured for SAF (Security Access Facility) to return SAF UTOKEN such as NMSAF, then the user is identified and the authorization is based on his profile related to OPERCMDS resource class. 

If the region is not configured with a security exit (partial of full), then the authorization is based on the STC user related to OPERCMDS resource class.

The security option is set in RUNSYSIN through SEC= parameter with one of the following values :

SEC={ * | NO | PARTSAF | NMSAF | NMSAFF | name }

 Specifies whether the region uses a security exit.

An asterisk (*) specifies that the region uses a security exit if one has been link edited into the NM001 load module. If no security exit has been link edited, then the region uses the NMUEX01 load module.

If NO is specified, no security exit is used. This specification overrides any link edited exit or the NMUEX01 load module.

If PARTSAF is specified, a vendor-supplied partial security exit that uses SAF is used.

If NMSAF is specified, the vendor-supplied partial security solution is used.

If NMSAFF is specified, the vendor-supplied full security solution is used.

If a name is specified, the named load module is loaded and used as the security exit. If this load module cannot be found, then the region terminates.


Important! If an abend occurs in the exit and the requested function cannot be performed, it is regarded as a security exposure and the region terminates. Message N00303 is sent to the console as a WTO, with RC=8.

Note: For more information about security exits, see the Security Guide.