|
by Gail Duro
Commercial Systems Division
The JOBSECURITY command now includes a new parameter,
PASSEXEMPT, in this MPE/iX 5.5 Release.
PASSEXEMPT is used by users with System Manager (SM) capability
to control password validation when the STREAM command is
issued for a job file.
NOTE:
Password validation for the STREAM command is also
controlled by the HP Security Monitor, which is a separately purchasable
product. If you already have the HP Security Monitor, use that to
control password validation. Otherwise, you can use the
JOBSECURITY ;PASSEXEMPT command, which is available on
MPE/iX 5.5. Refer to the "JOBSECURITY Interaction with
the HP Security Monitor" section later in this article for a
comparison of the HP Security Monitor and the JOBSECURITY
;PASSEXEMPT command.
PASSEXEMPT can give users the ability to stream jobs
without requiring the logon passwords. Normally, when the
STREAM command is issued, users are interactively prompted
for passwords or are required to embed them within the job file.
This article is intended for System Managers (SM), Account Managers
(AM), and general users who want to stream jobs without specifying
passwords. This article provides a general overview of the enhanced
JOBSECURITY command and the new PASSEXEMPT
parameter.
The main sections in this article are:
When the PASSEXEMPT parameter is enabled, a set of users are
exempted from the password requirement and can stream jobs without
having to specify passwords. Passwords are still required
for logging on to a session interactively.
The PASSEXEMPT parameter provides the following features:
- The password exemption feature for streaming job files can be granted
to any user with SM, AM or a matching logon identity.
- SM users can stream all jobs.
- AM users can stream jobs that logon to their account.
- A user whose logon identity matches the job's logon identity
can stream a job without specifying passwords.
- Additional users can be authorized to stream jobs without
specifying passwords. When the stream file's owner/creator is the
same as the job logon identity and the user has execute
access to the file, they are allowed to stream the job without
specifying passwords. The file owner/creator can create an
access control definition (ACD) to select which users they
want to grant execute access.
The benefit to System Managers is better password management.
By using PASSEXEMPT, they can limit password
access while still providing the ability to stream jobs.
The JOBSECURITY command may be issued from a session, job,
program, or in BREAK. Pressing the BREAK key has no effect
on this command. You may execute JOBSECURITY only from the
console unless distributed to users with the ALLOW command.
JOBSECURITY controls the use of the ABORTJOB,
ALTJOB, BREAKJOB, and RESUMEJOB
commands with the HIGH or LOW parameter,
described in the "Parameter Definitions" section
later on.
PASSEXEMPT and the HP Monitor perform the same password
verification functions. Normally, you would use one or the other, but
you can use both.
Following is a comparison of the PASSEXEMPT options and the
equivalent HP Monitor features (see the "Parameter
Definitions" section below for descriptions of these options):
PASSEXEMPT HP Security Monitor Feature
Option
USER Stream Privilege
XACCESS Stream Authorize
If you do have the HP Security Monitor on your system, and you use the
JOBSECURITY command, the output of JOBSECURITY
could be impacted by the HP Security Monitor. This is because the HP
Security Monitor manages its settings in its own configuration file.
When you invoke the JOBSECURITY command, it checks to see
if the HP Security Monitor file exists. If the HP Security Monitor file
does exist, JOBSECURITY combines the settings to produce
the command output, which may not be the expected output. For
example, if you set PASSEXEMPT=XACCESS, and the Stream
Privilege feature of the HP Security Monitor was also set, then
JOBSECURITY combines these settings as if MAX
were set (which combines the USER and XACCESS
options).
NOTE:
If you have the HP Security Monitor, we recommend that you set all the
settings either with the HP Secutiry Monitor, or with the JOBSECURITY
;PASSEXEMPT command, to be sure of the command output.
When the PASSEXEMPT parameter is issued and the interaction
with the HP Security Monitor produces a different result,
a warning that the HP Security Monitor is installed is issued.
The resulting command output is also displayed with the warning.
This is illustrated in the last example in the
"Examples" section.
The JOBSECURITY command designates what level of user may
request resource and control the execution of jobs. The following
information describes the parameters supported by JOBSECURITY:
[ {NONE }]
JOBSECURITY [HIGH] [;PASSEXEMPT={USER }]
[LOW ] [ {XACCESS }]
[ {MAX }]
HIGH
- Permits only the operator logged on at the console to use
job control commands. (Optional)
LOW
- Allows any user to issue job control commands for their
own jobs. (Optional)
The job's username and account must match that of the user.
Account Managers do not need a matching username, so they may control
the execution of any job in their account.
PASSEXEMPT
- Controls password validation when the
STREAM
command is issued for a job file. SM capability is required to specify
PASSEXEMPT. (Optional)
NONE
- Requires that the requested passwords be specified to stream
a job. If the
PASSEXEMPT parameter has never been used before and
the HP Security Monitor is not installed, the initial state is
NONE. (Default)
When the system is rebooted with START NORECOVERY,
the PASSEXEMPT parameter is initialized to NONE.
When the system is rebooted with a START RECOVERY, the last
PASSEXEMPT state is preserved.
USER
- Grants password exemption to users with SM,
AM, or matching logon identity.
- The System Manager can stream all jobs.
- The Account Manager can stream all jobs that log on to their account,
provided they otherwise have access to those jobs.
- A user can stream all jobs where their logon identity matches the job's
logon identity and they have access to those jobs.
The USER option is equivalent to the Stream Privilege feature
in the HP Security Monitor.
XACCESS
- Grants a user to stream a job without specifying a
password if their logon identity matches the job's logon identity, and
they have execute access to the stream file. The file owner/creator can
set an access control definition(ACD) on the file to grant execute
access to the specific set of users.
The XACCESS option is similar to the HP Security Monitor's Stream
Authorize feature. However, the Stream Authorize feature can only be
enabled if the Stream Privilege feature is already enabled. The
JOBSECURITY command, however, allows the options to be set
independently.
MAX
- Specifies both
USER and
XACCESS. Otherwise, these
options are mutually exclusive.
If you do not specify any options, the current job security status is
displayed.
The following examples show the enhanced JOBSECURITY command and
changes to the output.
: JOBSECURITY
JOBSECURITY IS HIGH. PASSEXEMPT IS NONE.
: JOBSECURITY LOW
: JOBSECURITY
JOBSECURITY IS LOW. PASSEXEMPT IS NONE.
: JOBSECURITY ;PASSEXEMPT=USER
: JOBSECURITY
JOBSECURITY IS LOW. PASSEXEMPT IS USER.
If USER is set and XACCESS is specified, the
result is XACCESS.
: JOBSECURITY
JOBSECURITY IS LOW. PASSEXEMPT IS USER.
: JOBSECURITY ;PASSEXEMPT=XACCESS
: JOBSECURITY
JOBSECURITY IS LOW. PASSEXEMPT IS XACCESS.
If the HP Security Monitor is installed with both Stream Privilege and
Stream Authorize turned on, the JOBSECURITY
command displays an output
warning when the OR operation produces a different result.
:JOBSECURITY ;PASSEXEMPT=USER
Security Monitor is installed. Passexempt is MAX. (CIWARN 3128)
|