Protecting Facilities › Securing BATCH Jobs

Securing BATCH Jobs

You can use CA Top Secret to provide security protection for the BATCH facility.

Signon Security and Authorization Restrictions

CA Top Secret views BATCH as a facility that must be protected and authorized for use. To provide protection, each batch job must be associated with an ACID and password.

To grant access authorization you can:

• Add the facility to the ALL Record
• Add the FACILITY parameter to the ACID

To secure the BATCH facility, enter the command:

TSS ADDTO(USER) FACILITY(BATCH)

ACID Derivation

CA Top Secret treats a batch job like an ACID. It has an associated user record with a set of specific access authorization. CA Top Secret derives an ACID for batch jobs submitted through an online facility based on the SUBACID control option. The value used most often derives the ACID from the user ACID signed on to the online facility. This allows the batch job to run with the same ACID as the ACID of the online user.

Another way to derive an ACID and minimize required JCL revisions at the same time is to use the JOBACID control option. This derives an ACID from information on the existing JOB statement. If you want:

• Each job to have a unique ACID, set the JOBACID control option to derive the ACID from the jobname or programmer name on the JOB statement.
• Each job to have a group ACID, set JOBACID to derive the ACID from the accounting field or the USER= field on the JOB statement.

  This method also allows online user to submit batch jobs that will run under an ACID other than the ACID of the online user— called a secondary ACID. The user can code the secondary ACID in the USER= field on the JOB statement. If the online user is permitted to the secondary ACID, the user will not have to know the password for the secondary ACID. This password is supplied in a non‑viewable field by CA Top Secret

• To control access based on the source of the job, set JOBACID to derive an ACID from the reader name.

The derived ACID must be a valid ACID. If it is not, the default ACID specified using the DEFACID suboption of the FACILITY control option is applied to the job.

Password Validation

In IMPLEMENT and FAIL mode, a user must supply a valid password. In WARN and DORMANT mode, you can use the FACILITY control option to force the user to supply a valid password. For information, see the Implementation: Other Interfaces Guide.

Card and Remote Reader Security

Jobs submitted from a physical reader must have the submitter’s password manually coded in the PASSWORD= parameter on the JOB statement—unless the associated ACID does not require a password.

Job Submission Validation

By default, CA Top Secret allows a defined user to submit batch jobs for which the ACID is specifically authorized. Explicit authority is required to permit a user to submit jobs identified by other ACIDs. The required authority needed to submit these jobs is granted using the ACID keyword of TSS PERMIT.

Job Scheduling Security

Production job scheduling systems (such as CA Scheduler JM) can have authority to submit any job as required. This authority can be:

• Limited to a specified list of jobs
• Restricted by facility
• Restricted by privileged program