© 2010 The PowerTech Group, Inc.
All Rights Reserved
Job descriptions control the work environment for all jobs on the system. At job initiation time, the job descriptions sets values such as library list, job queue, output queue, etc. One of the values that can be set in the Job Description is the default user profile. When the system value QSECURITY is set to '40' or higher, the user who is submitting a job must be authorized to the user profile that is named in the job description.
When the system value QSECURITY is set to '30' or less, the user submitting the job needs *USE authority to the job description itself, but needs no specific authority to the user profile named in the Job Description. This is a particularly broad security exposure presents itself to enterprising users. At security level '30' and less, any user who can *USE a job description can submit jobs as the user that is named in the job description.
For example in one audit we’ve seen, XYZ had done a good job in making user profiles *PUBLIC AUT(*EXCLUDE), but since XYZ was using security level 30, the protection for these profiles is not in force. XYZ had 175 job descriptions that include user IDs. Many, that are open to the *PUBLIC, name the user QPGMR, or other *ALLOBJ users like ASSET.
The result of this configuration is that anyone who can submit a job can have that job run under a number of very powerful profiles.
© 2010 The PowerTech Group, Inc.
All Rights Reserved