Allowing surrogate job submission
//jobname JOB 'accounting-information',USER=TOM
All access checks are done with TOM's user ID. Any auditing records produced by RACF® because of the submitted job's actions include the information that the job is a surrogate job (unless the PASSWORD parameter is specified on the JOB statement).
The surrogate user must specify the execution user's user ID on the USER parameter on the JOB statement and must not specify a password. If the PASSWORD parameter is specified with a password, surrogate processing is not performed, and audit records generated by the job's activities do not indicate that the job is a surrogate job. This applies not only to jobs submitted through the TSO SUBMIT command, but any time the surrogate user is a RACF-defined user.
- If a security label is specified for the submitted job, the specified label must be equal to or greater than the current security label of the surrogate user, and both the surrogate and execution users must have READ authority to the specified label. After job verification is complete, the job submitted by the surrogate user runs as if the execution user had submitted the job.
- If a security label is not specified for the submitted job but the surrogate user has a current security label, the submitted job runs with the surrogate user's current security label.
- Ensure that the installation exit for the TSO SUBMIT command (IKJEFF10) does not prevent users from submitting jobs with job names that do not match their user IDs. The installation exit supplied by IBM® meets this requirement, because it does not check the JCL of submitted jobs. For more information, see z/OS TSO/E Customization.
- If your installation implemented the
sample ICHRTX00 exit from SYS1.SAMPLIB member RACINSTL to enable surrogate
user processing, you should migrate to profiles in the SURROGAT class.
After RACF is installed, the
code in the ICHRTX00 exit that checks
$SUBMIT.userid
profiles is not used. You should copy the$SUBMIT.userid
profiles to SURROGAT profiles as follows:RDEFINE SURROGAT execution-userid.SUBMIT FROM($SUBMIT.execution-userid) FCLASS(FACILITY)
- Define resource profiles in the SURROGAT class for each
execution user who needs to allow others to be surrogate users:
RDEFINE SURROGAT execution-userid.SUBMIT UACC(NONE) OWNER(execution-userid)
Note: Specifying the OWNER operand allows the execution user to issue the PERMIT command for this profile. - To specify that another user can act as the surrogate for
an execution user, give the surrogate user READ access authority:
PERMIT execution-userid.SUBMIT CLASS(SURROGAT) ID(surrogate-userid) ACCESS(READ)
Only users and groups that have READ access authority are allowed to submit jobs on behalf of another user.
To check whether a user can submit jobs for another user, make sure the user (or a group the user is a member of) is in the access list with READ access authority:RLIST SURROGAT execution-userid.SUBMIT AUTHUSER
- When you are ready to control access using the
SURROGAT profiles, activate
the SURROGAT class:
If the SURROGAT profile is not already raclisted, then run:SETROPTS CLASSACT(SURROGAT)
If the SURRAGAT profile is already raclisted, you should run:SETROPTS RACLIST(SURROGAT)
SETROPTS RACLIST(SURROGAT) REFRESH
To disable surrogate support for a particular user, delete the profile for that user. To disable surrogate support for all users, deactivate the SURROGAT class.
- NJE notes:
- The node in which SURROGAT checking occurs depends on the job statements (see Where NJE jobs are verified). For verification done on the receiving node, the SURROGAT checking is done after any translation due to NODES profiles. (See Understanding NODES profiles.)
If the submitter of a job is a started procedure, the execution node is not checked during SURROGAT processing.