What is the use of PGM, RESTRICT, and SUBAUTH in CA ACF2 logonids?

Document ID : KB000027276
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

What is the use of PGM, RESTRICT,  and SUBAUTH in CA ACF2 logonids?

 

Description:

This knowledge document provides details on the restrictions involved with using PGM and SUBAUTH with a RESTRICT logonid

 

Resolution:

RESTRICT specifies that the logonid is intended for production batch use (not for online or STC use) and does not require a password. By itself, this privilege makes a logonid vulnerable to unauthorized use, and is not suitable for production work (but could be used for a batch default logonid with limited read/write/alloc access).

PROGRAM( pgm_name) specifies that this logonid can only be used when JOBS are submitted by this program. This privilege adds more restriction for the use of the logonid, but is still somewhat vulnerable in that this program does not have to be authorized.

SUBAUTH specifies that this logonid can only used when JOBS are submitted by an authorized program. Note that by authorized program we mean that it resides in an APF authorized library and the program was link-edited with SETCODE AC(1). This provides for a much more secure environment since sites have full control of what libraries can be APF authorized, and who can update those libraries.

Examples:

Batch Logonid: Privileges:
TSTBATRESTRICT
TSTBAT1RESTRICT, PGM( pgm_name )
TSTBAT2RESTRICT, PGM( pgm_name ), SUBAUTH
TSTBAT3RESTRICT, SUBAUTH

(Note: batch logonids also need the JOB privilege if the GSO OPTS record specifies JOBCK. The Restricted Logonid Job Log, ACFRPTJL, provides the submitting program name and identifies if the program is authorized for all system accesses by logonids with the RESTRICT privilege.)

Test scenario 1:

Submit a test job that uses the batch logonid (TSTBAT#) directly from TSO (PGM=IKJEFF04)

Batch logonid:Results:
TSTBATruns OK, there are no program or authorization restrictions
TSTBAT1fails with ACF01009, when pgm_name is not IKJEFF04
TSTBAT2/TSTBAT3fails with ACF01008, the submitting program is not authorized

Test scenario 2:

Submit a test job with the batch logonid (TSTBAT#) where the submitting program is pgm_name residing in an unauthorized user library and/or pgm_name is not linked as AC(1)

Batch logonid:Results:
TSTBATruns OK, there are no program or authorization restrictions
TSTBAT1runs OK, the submitting program matches pgm_name
TSTBAT2fails with ACF01008, the submitting program matches pgm_name, but is not authorized
TSTBAT3fails with ACF01008, the submitting program is not authorized

Test scenario 3:

submit a test job with the batch logonid (TSTBAT#) where the submitting program is pgm_name residing in an authorized user library and pgm_name is linked as AC(1)

Batch logonid:Results:
TSTBAT

runs OK, there are no program or authorization restrictions

TSTBAT1 runs OK, the submitting program matches pgm_name
TSTBAT2 runs OK, the submitting program matches pgm_name and is authorized
TSTBAT3

runs OK, the submitting program is authorized (Note that any authorized program can submit a job that uses this logonid)