Controlling remote commands and batch jobs

Several options are available to help you control which remote commands and jobs can run on your system.

You can use the network job action (JOBACN) network attribute to prevent network jobs from being submitted or to prevent them from running automatically.

If your system uses distributed data management (DDM), you can:
  • Restrict access to DDM files to prevent users from using the Submit Remote Command (SBMRMTCMD) command from another system. To use the SBMRMTCMD, the user must be able to open a DDM file. You also need to restrict the ability to create DDM files.
  • Specify an exit program for the DDM request access (DDMACC) system value. In the exit program, you can evaluate all DDM requests before allowing them.

You can specify explicitly which program requests can run in a communications environment by removing the PGMEVOKE routing entry from subsystem descriptions. The PGMEVOKE routing entry allows the requester to specify the program that runs. When you remove this routing entry from subsystem descriptions, such as the QCMN subsystem description, you must add routing entries for the communications requests that need to run successfully.

For each request that you want to allow, you can add a routing entry with the compare value and the program name both equal to the program name. When you use this method, you need to understand the work management environment on your system and the types of communications requests that occur on your system. If possible, you should test all types of communications requests to ensure that they work properly after you change the routing entries. When a communications request does not find an available routing entry, you receive a CPF1269 message. Another alternative is to set the public authority to *EXCLUDE for the transaction programs that you do not want to run on your system.