Not sure where to ask this, but I've wondered about it off and on for a while
and it's past time I asked. I'm responsible for security at a mainframe shop
where they use a lot of CICS. There are CICS transactions that fire off batch
jobs; the way this place handles it is to submit the job under the authority of
the CICS region ID (USER=<region> on the JOB card), and give each user of such
a transaction the necessary authority.
This gives me the screaming heeby-jeebies, but when I complain about it I get
little support back. The problem, of course, is that if I'm authorized to
submit jobs with USER=<region> on the JOB card then I can submit ~any~ such
job, to do anything I want that the region can do. (And of course any
installation that's careless about letting folks have that authority is even
more careless about what their CICS regions can do.)
One argument management offers in mitigation is that most of these CICS users
don't have TSO, so they haven't the ability to submit batch jobs. Off-hand I
can't contradict them, but I'm skeptical. I'm thinking there's probably a way
and I just don't know about it. Can anyone confirm? If I were a CICS user
without the ability to log on to TSO, could I still submit a batch job somehow?
---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313
/* You know you've had too much coffee when....
Juan Valdez names his donkey after you.
You've worn out the handle on your favorite coffee mug.
Your eyes stay open when you sneeze. */
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
