ftp comes to mind, if submitting from a cics region I think that's more secure because IIRC the CICS SYSPROG needs to set this up?
Carmen Vitullo ----- Original Message ----- From: "Rex Pommier" <rpomm...@sfgmembers.com> To: IBM-MAIN@LISTSERV.UA.EDU Sent: Wednesday, September 4, 2019 1:15:46 PM Subject: Re: [External] Submitting batch if you don't have TSO SDSF has the capability of submitting jobs, FTP can copy JCL to an internal reader for a couple ways just off the top of my head. -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Bob Bridges Sent: Wednesday, September 4, 2019 1:06 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Submitting batch if you don't have TSO Not sure where to ask this, but I've wondered about it off and on for a while and it's past time I asked. I'm responsible for security at a mainframe shop where they use a lot of CICS. There are CICS transactions that fire off batch jobs; the way this place handles it is to submit the job under the authority of the CICS region ID (USER=<region> on the JOB card), and give each user of such a transaction the necessary authority. This gives me the screaming heeby-jeebies, but when I complain about it I get little support back. The problem, of course, is that if I'm authorized to submit jobs with USER=<region> on the JOB card then I can submit ~any~ such job, to do anything I want that the region can do. (And of course any installation that's careless about letting folks have that authority is even more careless about what their CICS regions can do.) One argument management offers in mitigation is that most of these CICS users don't have TSO, so they haven't the ability to submit batch jobs. Off-hand I can't contradict them, but I'm skeptical. I'm thinking there's probably a way and I just don't know about it. Can anyone confirm? If I were a CICS user without the ability to log on to TSO, could I still submit a batch job somehow? --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* You know you've had too much coffee when.... Juan Valdez names his donkey after you. You've worn out the handle on your favorite coffee mug. Your eyes stay open when you sneeze. */ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
