Just as embedded passwords are a source of security exposure in sessions, so
too are passwords embedded in batch submissions.
Prevention of password exposure in batch submissions is effected by:
Rejecting embedded passwords in job cards.
Prohibiting cross streaming (letting a user stream another user's job).
Allowing users, AM, and SM to stream jobs without supplying passwords (stream privilege).
The first feature causes a job to fail if it contains an embedded password.
The second feature places limitations on who can stream jobs of other users.
The third feature permits various types of users to stream jobs without
supplying passwords.
The third feature does not mean the system is now left open to the submission
of unauthorized batch files. It means that a user with stream privilege
can stream a job without entering a password. A user without stream privilege
still must enter a valid password to stream a job.
Embedded Passwords in Job Files |
 |
This option prevents embedding passwords in job files. It operates by
rejecting any "!JOB" command with an embedded password(s), regardless of the
validity of the password.
When this feature is enabled, and a password is found in a job, the
:STREAM command returns the following message:
PASSWORD SECURITY ENABLED. EMBEDDED PASSWORDS ARE NOT ALLOWED
(CIERR 1450).
This feature is applicable to all JOB cards (the ":JOB" command strings)
regardless of the origin of the job. This includes jobs streamed from
disk files, tapes, from within a job, or from interactive terminal input,
including jobs generated by the interactive :JOB command. The default
for this feature is "OFF".
