If they have 'job' authority, they can submit a JOB via SYSOUT(A,INTRDR) On Wed, Sep 4, 2019 at 2:06 PM Bob Bridges <[email protected]> wrote:
> Not sure where to ask this, but I've wondered about it off and on for a > while and it's past time I asked. I'm responsible for security at a > mainframe shop where they use a lot of CICS. There are CICS transactions > that fire off batch jobs; the way this place handles it is to submit the > job under the authority of the CICS region ID (USER=<region> on the JOB > card), and give each user of such a transaction the necessary authority. > > This gives me the screaming heeby-jeebies, but when I complain about it I > get little support back. The problem, of course, is that if I'm authorized > to submit jobs with USER=<region> on the JOB card then I can submit ~any~ > such job, to do anything I want that the region can do. (And of course any > installation that's careless about letting folks have that authority is > even more careless about what their CICS regions can do.) > > One argument management offers in mitigation is that most of these CICS > users don't have TSO, so they haven't the ability to submit batch jobs. > Off-hand I can't contradict them, but I'm skeptical. I'm thinking there's > probably a way and I just don't know about it. Can anyone confirm? If I > were a CICS user without the ability to log on to TSO, could I still submit > a batch job somehow? > > --- > Bob Bridges, [email protected], cell 336 382-7313 > > /* You know you've had too much coffee when.... > Juan Valdez names his donkey after you. > You've worn out the handle on your favorite coffee mug. > Your eyes stay open when you sneeze. */ > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- John Kelly ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
