Special Usage Considerations › Security Prevalidation › Interface Limitations
Interface Limitations
To prevent CA JCLCheck from creating a security exposure at a site, CA JCLCheck imposes certain limitations on security prevalidation. CA JCLCheck does not do a security signon as another user and run under that user's security environment because this creates a security exposure. This is not allowed. The result is that the standard security environment applies to any user executing CA JCLCheck. For example, suppose a user runs CA JCLCheck and the CTLSCAN option is active; this option forces CA JCLCheck to read and interpret the control statements of utility programs, such as IDCAMS. If you do not have at least read access to the control statement input file, CA JCLCheck issues the message CAY6329E, ACCESS DENIED TO LIBRARY BY SECURITY and does not attempt to open the file. The system 913 ABEND does not occur.
The following are limitations:
- CA JCLCheck does not check VSAM catalog access and OS CVOL catalog access.
- CA JCLCheck verifies ICF catalog access by having UPDATE access to the data set on the ICF catalog volume.
- Run CPU, run date and runtime are not available for an SAF-compatible product because of the limitations of the SAF RACROUTE macro, but they are available with CA ACF2.
- Use of PADS (Program Access using Data Set) is only available with CA ACF2 r6.0, and not with SAF-compatible products, because the SAF RACROUTE REQUEST=AUTH macro does not support the required operands.
- CA JCLCheck does not check the ddnames STEPLIB and JOBLIB for either update or read access, and assumes that it does not need to open these ddnames for read or update access, only execute.
The following are reasons for CAY6329E messages:
- The PXREF option is on and you do not have read access to a STEPLIB, JOBLIB, LINKLIST, or to a library in the JCL that has a member name in parentheses.
- The CTLSCAN option is on and you do not have read access to the library containing the control statements.
- CA JCLCheck is attempting to expand a cataloged procedure and the user does not have read access to a proclib defined to CA JCLCheck.
- CA JCLCheck can use the sample MBRCHKX exit, member CAZ1XSEC in CAZ2SRC to bypass opening a file for the PXREF and CTLSCAN options.
Copyright © 2014 CA.
All rights reserved.
|
|