Previous Topic: Override the JOBACID DesignationNext Topic: Protecting Card and Remote Readers

Implementing Security for BatchAssign ACIDs to Batch Jobs Not Submitted OnlineAssign the Default ACID

Assign the Default ACID

If CA Top Secret is unable to derive an ACID from the USER= parameter or the JOBACID control option, it next checks to see if a default ACID has been assigned. An established default for the ACID allows jobs that otherwise trigger a security violation to run under minimum access authorizations.

Note: If the submitting ACID was propagated from the sending node it overrides the JOBACID.

Establish a Global Default ACID

To use the DEFACID suboption of FACILITY to establish a global default ACID to assign to batch jobs enter the following control option into the Parameter File:

FACILITY(BATCH=DEFACID(BATDEF))

The BATDEF ACID must be defined with the BATCH facility, have no password specification, and be permitted the appropriate access authorizations. An example showing the creation of a BATDEF ACID is:

TSS CREATE(BATDEF) TYPE(USER)
                   NAME(BATDEF)
                   DEPARTMENT(SOFTDEV)
                   FACILITY(BATCH)
                   PASSWORD(NOPW,0)

Job Source as the Default ACID

The security administrator can assign a default ACID derived from the name of the physical reader, RJE, or NJE node from which the job is being submitted instead of assigning a single global default. Using the job source (JES device) name as the default ACID allows you to control remote job submission without changing your JCL.

To implement this option, enter the following control option into the Parameter File:

FACILITY(BATCH=DEFACID(RDR*TERM))

Once the previous entry is made in the Parameter File, the reader's default ACID can be created. For example, to define the default ACID for RJE TERMINAL R10.RD1, the following command is entered with the appropriate access authorizations:

TSS CREATE(R10@RD1) TYPE(USER)
                    NAME('DEFAULT‑LOC‑10')
                    DEPARTMENT(DEPTX)
                    PASSWORD(NOPW,0)
                    FACILITY(BATCH)
                    SOURCE(R10.RD1)

RJE devices may now be defined to JES with names up to four digits, for example R1234.RD1. When the RJE node number is four digits then the name for the default ACID is derived by eliminating the period (.) in the device name. Similarly, the SOURCE definition has the period dropped as well. Thus the command to create the ACID in this case would be:

TSS CREATE(R1234RD1) TYPE(USER)
                     NAME('DEFAULT‑LCO‑1234')
                     DEPARTMENT(DEPTX)
                     PASSWORD(NOPW,0)
                     FACILITY(BATCH)
                     SOURCE(R1234RD1)