Protecting job descriptions
If a user profile name is used as the value for the User field in a job description, any jobs submitted with the job description can run under that user profile. Thus an unauthorized user might submit a job to run under the user profile specified in the job description.
At security level 40 and higher, the job fails unless the user submitting the job has *USE authority to both the job description and the user profile that is specified in the job description. At security level 30, the job runs if the submitter has *USE authority to the job description. The submitter does not need to have *USE authority to the user profile specified in the job description.
This is the issue that happens most frequently when moving from level 30 to 40 or 50. Within the job description object, a user can be named on the USER parameter. When on security level 30, when this particular job description is used during a submit job, the authority check is simply “does the user submitting the job have *USE authority to the job description”. On security level 40 and 50, the same authority check is done but an extra check is made to see whether the user submitting the job has *USE authority to the user profile specified in the job description. This extra check, which can be easily fixed, causes most of the issues when moving to a higher security level. By default, when a user profile is created, the *PUBLIC authority is set to *EXCLUDE. This prevents a user from submitting a job to run under a different user profile by specifying to use the user profile in the job description. To solve this problem, the security administrator can grant authority for any user who should be allowed to submit the job to run under the user profile that is specified in the job description.
- GRTOBJAUT OBJ(JOBDUSER) OBJTYPE(*USRPRF) USER(USER1) AUT(*USE)
- SBMJOB CMD(CALL PGM(TEST)) JOB(TEST) USER(*JOBD)
To find all *JOBD objects that contain a user profile name, signon as a security officer and run the PRTJOBDAUT LIB(*ALL) command.
Journal entry:
- The auditing function is active
- The QAUDLVL system value includes *AUTFAIL
- A user submits a job, while the user is not authorized to the user profile in the job description