Here's a question that I wish were hypothetical:
If a user's ACID has XA ACID(xxxxxxxx) plus FAC(TSO) and FAC(BATCH), that user can submit JCL with USER=xxxxxxxx on the JOB card and do anything that xxxxxxxx is permitted to do. In the case I have in mind, I consider this a vulnerability.
The reason for the permission—the reason I'm aware of—is that there are transactions that submit batch jobs with USER=xxxxxxxx, and whoever set this up apparently thought permitting ACID(xxxxxxxx) was the best way to set things up.
The ideal solution, it seems to me, is to rewrite the transactions to submit those jobs under the region's own authority in the first place. If I cannot persuade management to pursue that path, I want to define for them the exact limits of the exposure. So, the question:
If the ACID is missing FAC(TSO) and/or FAC(BATCH), are there other ways an ill-disposed user can make use of ACID(xxxxxxxx)? I'd like to hear y'all say "No, ACID(xxxxxxxx) is totally useless without both FAC(TSO) and FAC(BATCH)", but MVS is complicated and I won't be surprised to hear "Yes, here are some other ways ACID(xxxxxxxx) can be used...".
Here are some things I can think of that could be a concern if the user’s ACID is missing FAC(TSO) and/or FAC(BATCH), but still has a permit for ACID(xxxxxxxx):
1) If the ACID is in WARN mode, the ACID can signon to TSO without FAC(TSO) and submit the job with USER=xxxxxxxx. NOTE: The cross authorization protection is enforced in all modes, including WARN and DORM. This means that even if the ACID is in WARN mode, he can not submit a job with a USER=********* unless he is authorized to do so (via a permit to ACID(xxxxxxxx) or the NOSUBCHK attribute).
2) If the ACID has access to another facility where jobs can be submitted (CA ROSCOE for example), the ACID can signon to that application and submit the job with USER=xxxxxxxx.
3) The ACID does not need FAC(BATCH) to submit the job with USER=xxxxxxxx. ACID ‘xxxxxxxx’ needs to have FAC(BATCH) in this case.
Bob Bridges -
I'm not sure I understand your problem. Is you don't want user "A" to submit jobs for (under) user "B", why is that permission there? Also, the permission can be restricted using LIBRARY and PRIVPGM.
Ex. PERMIT(CA7) ACID(BATCH) LIBRARY(CA7.LOADLIB) PRIVPGM(CA7SUB)
Can you give me an example of what you want and what you don't want?