Securing JES Resource Classes

Jim McNeill
NYRUG November 25, 2014

©2014 Vanguard Integrity Professionals, Inc. 1

Session Topics

• Job Control Overview

• Controlling Job Input
• Controlling JOB CLASSES
• Controlling Printing (Output)
• Controlling Access to SPOOL
• Controlling NJE Security

©2014 Vanguard Integrity Professionals, Inc. 2

Page 1
RACF Related Classes

OPERCMDS
JESJOBS CONSOLE
JESINPUT JESINPUT
NODES SDSF
SURROGAT
COMMANDS
PROPCNTL

NJE OUTPUT NJE

RJE/RJP RJE/RJP
MVS/JES
TSO SUBMIT Line & PSF
Printers
BATCH

INPUT
SYSOUT WRITER
JESSPOOL
SPOOL

©2014 Vanguard Integrity Professionals, Inc. 3

Input and Output Controls

• Input Controls
– Allow control of job names (JESJOBS)
– Allow control of who can use which job classes
– Allow control of who can enter jobs from where
(JESINPUT/NODES)
– Allow control of Surrogate submission (SURROGAT)

• Output Controls
– Allow control of who can send JOBS & SYSOUT where
(WRITER)
– Allow control of who can access SYSOUT on the spool
(JESSPOOL)
©2014 Vanguard Integrity Professionals, Inc. 4

Page 2
Security Tokens

• Associated with JOB during input services

– Identifies Submitter of JOB
– Identifies Owner of JOB
– Identifies Owner of all resources associated with the JOB
• SYSIN
• SYSOUT

• Transportable - not associated with a particular

address space

©2014 Vanguard Integrity Professionals, Inc. 5

Security Tokens

JES INPUT QUEUE

STOKEN
Job Submitter

PROCESSING

UTOKEN
Job Owner

JES OUTPUT QUEUE

RTOKEN
Resource Owner

©2014 Vanguard Integrity Professionals, Inc. 6

Page 3
Token Format

USERID GROUP EX-NODE POE USERID GROUP SUB-NODE FLAGS ETC.

Surrogate
Privileged
OWNER SUBMITTER Trusted
Internal/External
Session Type

©2014 Vanguard Integrity Professionals, Inc. 7

Who is the Submitter?

UTOKEN UTOKEN of the
submitting job/user
????????
is called an STOKEN
possible
unknown NJE user
NODES
UTOKEN translation
for NJE jobs
SUBMIT

STOKEN
from submitting job
SUBMITTER
UTOKEN

++++++++

unknown local user

©2014 Vanguard Integrity Professionals, Inc. 8

Page 4
Who is the Job Owner?

USER= from JOBCARD Propagated USER via INTRDR Undefined User

JES Input Services

RACROUTE VERIFY/X

ACEE

UTOKEN
userid

groupid userid
.
.
. SETR JES(BATCHALLRACF)

©2014 Vanguard Integrity Professionals, Inc. 9

Determining the Job's Owner

Local & NJE

Internal
RJE/RJP
Reader Nodes
Devices

USER / PASSWORD
coded on Job Statement Coded Value Coded Value Coded Value
or user translated (NJE)

USER / PASSWORD Submitting

not coded on Job
Statement or user not
User ID is ++++++++ ????????
translated (NJE) propagated

©2014 Vanguard Integrity Professionals, Inc. 10

Page 5
Preventing JES Propagation
//TRNA JOB acctnum,
---- --- --- --- ---
CICSPRD ---- --- --- --- ---
---- --- --- --- ---

TRNA
TRNA

JES
//TRNA JOB acctnum,USER=CICSPRD
---- --- --- --- --- ---
ARTM ---- --- --- --- --- ---
---- --- --- --- --- ---

RACF Database
SETR CLASSACT(PROPCNTL)
RDEF PROPCNTL CICSPRD UA(NONE) PROPCNTL class profile

SETR RACLIST(PROPCNTL) CICSPRD UA(NONE)

©2014 Vanguard Integrity Professionals, Inc. 11

Control of Job Submission

//Jobname JOB . . . JES

Which Jobs?
From Who?
From Where?

©2014 Vanguard Integrity Professionals, Inc. 12

Page 6
Steps to Protect Job Input

Activate
Classes &
Define Test
Profiles:
Decide
Who is JESJOBS
Decide Allowed to
What Jobs Submit JESINPUT
Decide are to be Each Job &
Job Name Restricted From SURROGAT
Standards Where

©2014 Vanguard Integrity Professionals, Inc. 13

Controlling Job Names – JESJOBS

‘Nasty Class’ RC=8

//VANPAY1 JOB . . .

JES

Job name control based on "who" and "from where"

RACF Database

JESJOBS Profiles
SUBMIT.node.job.user UACC Access List
CANCEL.node.user.job UACC Access List
SUBMIT.** READ
CANCEL.** NONE

©2014 Vanguard Integrity Professionals, Inc. 14

Page 7
Defining JESJOBS Class Profiles

• To allow only the PAYROLL group to submit the

VANPAY job from node LVPROD:
RDEF JESJOBS SUBMIT.LVPROD.VANPAY*.* UACC(NONE)
PERMIT SUBMIT.LVPROD.VANPAY*.* CL(JESJOBS)
ID(PAYROLL) AC(READ)

• To allow only KAREN to cancel the VANPAY job

from LVPROD:
RDEF JESJOBS CANCEL.LVPROD.*.VANPAY* UACC(NONE)
PERMIT CANCEL.LVPROD.*.VANPAY* CL(JESJOBS)
ID(KAREN) AC(ALTER)

• To allow anyone to submit all other jobs:

RDEF JESJOBS SUBMIT.** UACC(READ)
©2014 Vanguard Integrity Professionals, Inc. 15

Controlling Job Classes – JESJOBS

‘Nasty Class’ RC=8

//VANPAY1 JOB . . .CLASS=B

JES

Facility profiles determine who is checked – Submitter, Owner or NO check made.

RACF Database

FACILITY Profiles UACC Access List

JES.JOBCLASS.OWNER n/a n/a
JES.JOBCLASS.SUBMITTER n/a n/a

Profile(s) must be Discrete – used as switches only

©2014 Vanguard Integrity Professionals, Inc. 16

Page 8
Controlling Job Classes – JESJOBS

‘Nasty Class’ RC=8

//VANPAY1 JOB . . .CLASS=B

JES

JESJOBS profiles determine who can use a certain JOB Class.

RACF Database

JESJOBS Profiles
JOBCLASS.nodename.jobclass.jobname UACC Acc List

Generics may be used

©2014 Vanguard Integrity Professionals, Inc. 17

Defining JESJOBS Class Profiles

User JIMM submits a CLASS=B job named JIMMX with USER=BOB in the
JOBCARD. The local node is VANLV. Of course SURROGAT profile check.
If there is a JES.JOBCLASS.OWNER profile in the FACILITY class, a check
is made if user BOB has READ access to JESJOBS profile:

RDEF JESJOBS JOBCLASS.VANLV.B.JIMMX OWNER(SECADMN) UACC(NONE)

PE JOBCLASS.VANLV.B.JIMMX CLASS(JESJOBS) ID(BOB) ACC(R)

If there is a JES.JOBCLASS.SUBMITTER profile in the FACILITY class, a

check is made if user JIMM has READ access to JESJOBS profile:

RDEF JESJOBS JOBCLASS.VANLV.B.JIMMX OWNER(SECADMN) UACC(NONE)

PE JOBCLASS.VANLV.B.JIMMX CLASS(JESJOBS) ID(JIMM) ACC(R)

If both FACILITY class profiles exist, then JIMM and BOB must have READ
access to the JESJOBS class profile

©2014 Vanguard Integrity Professionals, Inc. 18

Page 9
Hints for defining JESJOBS Class Profiles

You probably want to define a backstop profile to allow all users access to all
job classes.
RDEF JESJOBS JOBCLASS.** OWNER(SECADMN) UACC(READ)

Then define profiles to limit certain classes.

RDEF JESJOBS JOBCLASS.*.P.* OWNER(SECADMN) UACC(NONE)

PE JOBCLASS.*.P.* CLASS(JESJOBS) ID(PRODJOBS) ACC(R)

If JESJOBS was not previously active, be sure to define SUBMIT.** and/or

CANCEL.** before activating the class. Remember JESJOBS is a “nasty”
class.
Create the Facility class profiles after the JESJOBS profiles.

©2014 Vanguard Integrity Professionals, Inc. 19

Port-of-Entry Control – JESINPUT Class

DEVICE JES2 POE NAME JES3 POE NAME

‘Nasty Class’ RC=8

JES reader RDRnn Jname of reader

Disk reader n/a DR member name
RJE/RJP reader Rnnnn.RDn Workstation name
NJE reader Adjacent Nodename NJERDR
Dump Job n/a DUMPJOB
Spool Offload OFFn.JR n/a
Internal Reader INTRDR INTRDR
TSO SUBMIT INTRDR INTRDR
Started tasks STCINRDR STCINRDR
TSO logons TSUINRDR TSO terminal name

RDEF JESINPUT R124.RD1 UACC(NONE)

PE R124.RD1 CL(JESINPUT) ID(PAYROLL) AC(READ)
RDEF JESINPUT ** UA(READ)
©2014 Vanguard Integrity Professionals, Inc. 20

Page 10
Surrogate Job Submission

//jobname JOB USER=JILL

JES

RACF Database

SURROGAT class profile

JILL.SUBMIT JACK / READ

JACK

RDEF SURROGAT JILL.SUBMIT OWNER(SECADMN) UACC(NONE)

PE JILL.SUBMIT CLASS(SURROGAT) ID(JACK) AC(READ)

©2014 Vanguard Integrity Professionals, Inc. 21

Steps to Protect Job Output

Activate
Classes &
Define Test
Profiles:
Decide
Who Can WRITER
Decide Look at
Who Can Other JESSPOOL
Define Use Which User’s
Printers to Printers SYSOUT
Protect

©2014 Vanguard Integrity Professionals, Inc. 22

Page 11
Printer Access – WRITER Class

‘Nasty Class’ RC=8

JES

JES2 PARMS

PRT(n) . . .
RACF Database

WRITER Profiles

jesx.LOCAL.devn UACC Access List

JES3 PARMS
DEVICE JNAME= jesx.RJE/RJP.devn UACC Access List

©2014 Vanguard Integrity Professionals, Inc. 23

Defining WRITER Class Profiles

• To allow only the PAYROLL group to use local printer

PRT45:
RDEF WRITER JES%.LOCAL.PRT45 UACC(NONE)
PE JES%.LOCAL.PRT45 CL(WRITER) ID(PAYROLL) AC(READ)

• To allow only the PAYROLL group to use the remote printer

R5:
RDEF WRITER JES%.RJE.R5 UACC(NONE)
PE JES%.RJE.R5 CL(WRITER) ID(PAYROLL) AC(READ)

• To allow all users to use all other printers:

RDEF WRITER JES%.*.** UACC(READ)

©2014 Vanguard Integrity Professionals, Inc. 24

Page 12
Access Control to SYSOUT – JESSPOOL

‘Nasty Class’ RC=8

SPOOL
JES

RACF Database

JESSPOOL Profiles
node.user.jobname.job#.Dsid.dsname UACC Access List

©2014 Vanguard Integrity Professionals, Inc. 25

Access to SYSOUT

Requirement Auth. JESSPOOL Profile Name

Allow viewing of CAROL's

data for the ACCOUNT READ LVPROD.CAROL.ACCOUNT.**
job on LVPROD

Allow deletion of BETH's

data for the BACKUP job ALTER LVPROD.BETH.BACKUP.**
on LVPROD

Allow receipt of data sent

to FRANK for the
ALTER LVPROD.FRANK.BLKMAIL.*.*.MAILDATA
BLKMAIL job, MAILDATA
data set on LVPROD

©2014 Vanguard Integrity Professionals, Inc. 26

Page 13
Steps to Protect NJE

Activate
Classes,
Define RACLIST
Profiles: & Test
Control
Whose WRITER
Control Work is
Inbound / Sent and NODES
Control Outbound Received?
JOBS / Work?
SYSOUT?

©2014 Vanguard Integrity Professionals, Inc. 27

NJE – WRITER and NODES Class

To Control Sending: To Control Receipt:

WRITER Class NODES Class

node.USERJ.userid
JOBS JES%.NJE.node
node.GROUPJ.groupid

Target node Sending node

node.USERS.userid
SYSOUT JES%.NJE.node
node.GROUPS.groupid

©2014 Vanguard Integrity Professionals, Inc. 28

Page 14
NODES Class Profile – UACC

Regard for Sending

Requirement Needed UACC
Node/User ID

No Need to Re-verify
Password on Incoming Jobs TRUSTED CONTROL / UPDATE
(No Password Needed)

Re-verify User ID and

Password on Incoming Jobs SEMI-TRUSTED READ
(Password Needed)

No Jobs Accepted from

Node/User/Group
UNTRUSTED NONE

©2014 Vanguard Integrity Professionals, Inc. 29

Controlling Outgoing Jobs and SYSOUT

PRT on Dallas
WRITER Class Profile at Orange
XEQ on Vegas RACF Database
// ..... JOB JES%.NJE.VEGAS
USER=NANCY NANCY(READ)
USER Profile
NANCY

ORANGE WRITER Class Profile at Vegas

Submitting Node RACF Database
JES%.NJE.DALLAS
NANCY(READ)
VEGAS USER Profile
Execution Node NANCY

WRITER Class Profile at Dallas

DALLAS RACF Database
Output Node
JES%.LOCAL.PRT1
NANCY(READ)
Nancy's USER Profile
Output NANCY

©2014 Vanguard Integrity Professionals, Inc. 30

Page 15
Controlling Entry of Jobs – NODES Class

PRT on Dallas
XEQ on Vegas

// ..... JOB
USER=NANCY

ORANGE NODES Class Profile at Vegas

Submitting Node RACF Database

ORANGE.USERJ.NANCY
VEGAS USER Profile
Execution Node NANCY

NODES Class Profile at Dallas

DALLAS RACF Database
Output Node
VEGAS.USERS.NANCY
Nancy's USER Profile
Output NANCY

©2014 Vanguard Integrity Professionals, Inc. 31

USERID Translation

PRT on Orange
ORANGE VEGAS
Submitting Node XEQ on Vegas User ID Translation

OWNER=RICKY // ..... JOB OWNER=RICKY

submitted in
SUSER=RICKY =LUCY
Orange
SUSER=RICKY

RACF DB RACF DB translate owner

User Profile User Profile RICKY to LUCY
RICKY LUCY

OWNER=&SUSER OWNER=LUCY
=RICKY SUSER=RICKY
SUSER=RICKY
translate owner
Output Node to submit user Execution Node

RDEF NODES VEGAS.USERS.* Ricky's RDEF NODES ORANGE.USERJ.RICKY

Output
UA(UPDATE) ADDMEM(&SUSER) UA(UPDATE) ADDMEM(LUCY)

©2014 Vanguard Integrity Professionals, Inc. 32

Page 16