Implementing Security for Batch › Assign ACIDs to Batch Jobs Not Submitted Online › Protecting Card and Remote Readers

Protecting Card and Remote Readers

For jobs being submitted from a physical reader, RJE, or NJE terminals, the submitter's password must be manually coded in the PASSWORD= parameter on the JOB statement unless the associated ACID does not require a password. Because CA Top Secret cannot insert the password on remote or physical readers, the following suggestions are offered for implementing controls in this situation.

• Use a TSS CREATE/ADD entry with the batch job's ACID to specify the PASSWORD(NOPW) attribute. In this example, the JOB1 ACID does not require a password, so password authorization is not checked. JOB1 executes without coding a password in the JOB statement, thus avoiding security violation.

  TSS CREATE(JOB1) TYPE(USER)
                   NAME(JOB01)
                   DEPARTMENT(OPERAT)
                   FACILITY(BATCH)
                   PASSWORD(NOPW,0)
                   SOURCE(R10)
  

  Note: The disadvantage of specifying the PASSWORD(NOPW) attribute is that no CA Top Secret security is enforced for the person who placed the JOB in the reader.

• To allow some control of job submission from remote readers, use the TSS CREATE/ADD entry to attach the TERMINAL attribute to the ACID associated with the batch job. This restricts the job's execution to that device.

  Adding the SOURCE parameter to the ACID also restricts the job's initiation to a specific terminal or reader:

  TSS ADDTO(JOB1) SOURCE(R10)
  

• Another option is to monitor job submission through the AUDIT attribute. A security administrator, with the correct administrative authorities, can add the AUDIT attribute to the ACID associated with the batch job. This provides a trail of all activity related to this ACID in the Audit/Tracking File. For information, see the Report and Tracking Guide.