Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Authorizing jobs z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
||||||||||||||||||||||||||||||
You can control which network jobs are authorized for processing at your installation on the basis of submitter's user ID, group name, or security label associated with the inbound job. To authorize or restrict jobs entering your system from another
node, define a NODES profile that specifies the criteria on which
jobs are accepted. Ask your JES system programmer for the following:
Note: If no profile exists for a job when the NODES class is active
or if the NODES class is inactive, RACF performs only user ID, group name, and password validation
without performing any translation.
If no profile exists for a job when the NODES class is active, RACF verifies all security information available and a valid password and user ID must be specified on the job card. You can further reduce the risk of security exposures by allowing jobs to be submitted from other nodes without requiring a password if the sending node properly validates and transmits a user's identity. You can either allow the submitter's identity (that is, the user ID and security label) to be propagated to the job or you can specify that the submitter is a surrogate submitter who can submit jobs on behalf of other users without needing a password. For either case, you indicate in NODES class profiles which nodes are trusted to provide valid submitter identity information. You can restrict the trusted information to specified user IDs, group names, or security labels, if desired. This submitter identity information in combination with user data
on the job card is used to determine the user identity to be used
for the job.
1 In either case, if SECLABEL is specified on the job
card, it is used. If not, the SECLABEL of the submitter is propagated
to the job.
|
Copyright IBM Corporation 1990, 2014
|