Secure Job Class

Document ID : KB000018788
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Is there a way to secure the job class in which batch jobs run?

Solution:

In z/OS 2.1, one of the new features is the ability to use 8 character jobclasses in JES2. As part of that is also a new feature to do job class validation.

According to the IBM documentation, it will first check to see if one of two new FACILITY classes are enabled, JES.JOBCLASS.OWNER or JES.JOBCLASS.SUBMITTER (or both). If one or both of these are defined, then a SAF call for JESJOBS is done for:

JOBCLASS.jesnode.jobclass.job .

In z/OS 2.1, JES2 and JES3 have new SAF calls to control the use of specific job classes. In CA Top Secret, these SAF calls are triggered when users are permitted to either of the following IBMFAC class resources:

JES.JOBCLASS.OWNER
Checks whether the execution owner has access to the job class.

JES.JOBCLASS.SUBMITTER
Checks whether the submitting user ID has access to the job class.

When users are permitted to these resources JES2/JES3 will issue resource checks for new JESJOBS resources. The new JESJOBS resources have the format (JOBCLASS.node.class.jobname).

When implementing these controls, it is recommended that the JESJOBS resources be permitted before activating the controls with permits to the IBMFAC resources.

For example, to restrict USER1 to only submit jobs for class B while allowing all other users to submit jobs in any class on node N67, use the following commands:


TSS ADD(dept) IBMFAC(JES.JOBCLASS.OWNER)
TSS ADD(dept) IBMFAC(JES.JOBLCASS.SUBMITTER)
TSS ADD(dept) JESJOBS(JOBCLASS.N67)
TSS PER(USER1) JESJOBS(JOBCLASS.N67.B)
TSS PER(USER1) IBMFAC(JES.JOBCLASS.OWNER)
TSS PER(USER1) IBMFAC(JES.JOBCLASS.SUBMITTER)

IMPORTANT: For this support, CA Top Secret r15 fix RO63740 is required.

For sites running z/OS 1.13 or lower, to secure the job class, define a resource class (ie JOBCLASS) to the RDT and use the TSSINSTX (POSTINIT ENTRY POINT) to make a security call for this class to see if the user is authorized for that job class. See chapter 16 of the CA Top Secret r15 User Guide for info on the installation exit. See chapter 14 of the CA Top Secret r15 User Guide, section 'RDT Record', subsection 'Define a Resource to the RDT' for more information on defining a resource class to the RDT.

In the CA Top Secret 15.0 CAKOSRC library, there are members TSSINSTX and TSSINST1 which contain a skeleton CA Top Secret installation exit. There is some sample code in member TSSINST1 to call CA Top Secret security for jobcard "CLASS" parameter. This sample code can be modified as needed.