IBM Security Z Security

We are wanting to enhance our implementation of PROPCNTL.   Does Access Monitor record any activity concerning PROPCNTL?    I am looking to see if it can show me potential instances I should create PROPCNTL profiles.

From what I can tell it seems the data may not be present.

------------------------------
Linnea Sullivan
------------------------------

Great.... typed a full response, but used my official IBM userid, and of course, the text goes in the bottomless pit called spam-prevention through human interaction.
Let's try again.

PROPCNTL is a non-standard resource class. Only the presence of the profile is relevant, and the access is completely ignored. Because profile presence is tested for all job submissions that don't have a passord, intercepting in Access Monitor is somewhat useless, because it would only record if you had the profile at the time of the event. The fact that it is tested doesn't have any significance. Aside, RACF uses a presence-test that is not intercepted/interceptable by Access Monitor.
So, in summary, Access Monitor can't help you directly.

But, you might want to have a look at the Verify events with port-of-entry set to intrdr, in combination with req_verify_method=none.

------------------------------
Guus Bonnes
------------------------------

Original Message:
Sent: Wed October 26, 2022 09:06 AM
From: Linnea Sullivan
Subject: PROPCNTL and Access Monitor

We are wanting to enhance our implementation of PROPCNTL.   Does Access Monitor record any activity concerning PROPCNTL?    I am looking to see if it can show me potential instances I should create PROPCNTL profiles.

From what I can tell it seems the data may not be present.

------------------------------
Linnea Sullivan
------------------------------

Now you know that you can't use AM , I'd suggest a different approach.  First be sure to spell out your concerns about identity propagation. IE where it is acceptable, -vs- desirable, -vs- not acceptable.  I usually -want- propagation from batch job and TSO users, in fact usually any single user address space. It is the multi user address spaces where you usually don't want the identity of the "server" propagated to work initiated by individual users, Think CICS, IMS etc.  A recent enhancement was made to CICS in this regard (your CICS sysprog, Tim, will have details).   A Job scheduler is another instance where you usually/hopefully don't what the ID of the scheduler itself propagated to all scheduled jobs, but need more granularity/accountability for the business applications (batch ids).  I used to insist on a procedural checkpoint for all STC's to determine whether they needed PROPCNTL. You may even go as far as having a formal policy(s) established regarding HOW jobs are to be submitted from various environments and how identities are to be propagated/established.  I seem to recall a financial institution that had such a policy where all STC's , by default, had PROPCNTL established for their STUSER. I think they had a comprehensive report showing all their STC's, the STUSER and whether PROPCNTL existed for that userid.  Any exceptions needed to go through a periodic review process to verify suitable controls were in place to prevent "hijacking" of the STC's authority. I think they had a comprehensive report showing all their STC's, the STUSER and whether PROPCNTL existed for that userid.  Some online systems perform archiving of log data and spawn/submit jobs to do that, where they rely on id propagation.  They can possibly be enhanced to use an alternate method for invoking their archive process, eliminating the need for ID propogation.

------------------------------
Simon Dodge
------------------------------

Original Message:
Sent: Wed October 26, 2022 09:06 AM
From: Linnea Sullivan
Subject: PROPCNTL and Access Monitor

We are wanting to enhance our implementation of PROPCNTL.   Does Access Monitor record any activity concerning PROPCNTL?    I am looking to see if it can show me potential instances I should create PROPCNTL profiles.

From what I can tell it seems the data may not be present.

------------------------------
Linnea Sullivan
------------------------------

What is the general consensus on use of PROPCNTL?    I have read pro and con articles about it but what alternatives are there?  

Dan

------------------------------
Dan Little
------------------------------

Original Message:
Sent: Fri October 28, 2022 08:55 AM
From: Simon Dodge
Subject: PROPCNTL and Access Monitor

Now you know that you can't use AM , I'd suggest a different approach.  First be sure to spell out your concerns about identity propagation. IE where it is acceptable, -vs- desirable, -vs- not acceptable.  I usually -want- propagation from batch job and TSO users, in fact usually any single user address space. It is the multi user address spaces where you usually don't want the identity of the "server" propagated to work initiated by individual users, Think CICS, IMS etc.  A recent enhancement was made to CICS in this regard (your CICS sysprog, Tim, will have details).   A Job scheduler is another instance where you usually/hopefully don't what the ID of the scheduler itself propagated to all scheduled jobs, but need more granularity/accountability for the business applications (batch ids).  I used to insist on a procedural checkpoint for all STC's to determine whether they needed PROPCNTL. You may even go as far as having a formal policy(s) established regarding HOW jobs are to be submitted from various environments and how identities are to be propagated/established.  I seem to recall a financial institution that had such a policy where all STC's , by default, had PROPCNTL established for their STUSER. I think they had a comprehensive report showing all their STC's, the STUSER and whether PROPCNTL existed for that userid.  Any exceptions needed to go through a periodic review process to verify suitable controls were in place to prevent "hijacking" of the STC's authority. I think they had a comprehensive report showing all their STC's, the STUSER and whether PROPCNTL existed for that userid.  Some online systems perform archiving of log data and spawn/submit jobs to do that, where they rely on id propagation.  They can possibly be enhanced to use an alternate method for invoking their archive process, eliminating the need for ID propogation.

------------------------------
Simon Dodge

Original Message:
Sent: Wed October 26, 2022 09:06 AM
From: Linnea Sullivan
Subject: PROPCNTL and Access Monitor

We are wanting to enhance our implementation of PROPCNTL.   Does Access Monitor record any activity concerning PROPCNTL?    I am looking to see if it can show me potential instances I should create PROPCNTL profiles.

From what I can tell it seems the data may not be present.

------------------------------
Linnea Sullivan
------------------------------

Hi Dan, Yes, PROPCNTL is not loved by everyone.  It is an on/off switch to allow/prevent propagation (by JES) of the submitors identity to the submitted jobs. 

You may want to explore JESJOBS.   The resource names include both Jobname and Userid.  I don't have as much experience implementing JESJOBS as I have had with PROPCNTL.  Not a reflection of relative merits or each, just the environments I was working in.  Perhaps other folks can offer opinions/experience on using JESJOBS.

------------------------------
Simon Dodge
------------------------------

Original Message:
Sent: Fri October 28, 2022 09:21 AM
From: Dan Little
Subject: PROPCNTL and Access Monitor

What is the general consensus on use of PROPCNTL?    I have read pro and con articles about it but what alternatives are there?  

Dan

------------------------------
Dan Little

Original Message:
Sent: Fri October 28, 2022 08:55 AM
From: Simon Dodge
Subject: PROPCNTL and Access Monitor

Now you know that you can't use AM , I'd suggest a different approach.  First be sure to spell out your concerns about identity propagation. IE where it is acceptable, -vs- desirable, -vs- not acceptable.  I usually -want- propagation from batch job and TSO users, in fact usually any single user address space. It is the multi user address spaces where you usually don't want the identity of the "server" propagated to work initiated by individual users, Think CICS, IMS etc.  A recent enhancement was made to CICS in this regard (your CICS sysprog, Tim, will have details).   A Job scheduler is another instance where you usually/hopefully don't what the ID of the scheduler itself propagated to all scheduled jobs, but need more granularity/accountability for the business applications (batch ids).  I used to insist on a procedural checkpoint for all STC's to determine whether they needed PROPCNTL. You may even go as far as having a formal policy(s) established regarding HOW jobs are to be submitted from various environments and how identities are to be propagated/established.  I seem to recall a financial institution that had such a policy where all STC's , by default, had PROPCNTL established for their STUSER. I think they had a comprehensive report showing all their STC's, the STUSER and whether PROPCNTL existed for that userid.  Any exceptions needed to go through a periodic review process to verify suitable controls were in place to prevent "hijacking" of the STC's authority. I think they had a comprehensive report showing all their STC's, the STUSER and whether PROPCNTL existed for that userid.  Some online systems perform archiving of log data and spawn/submit jobs to do that, where they rely on id propagation.  They can possibly be enhanced to use an alternate method for invoking their archive process, eliminating the need for ID propogation.

------------------------------
Simon Dodge

Original Message:
Sent: Wed October 26, 2022 09:06 AM
From: Linnea Sullivan
Subject: PROPCNTL and Access Monitor

We are wanting to enhance our implementation of PROPCNTL.   Does Access Monitor record any activity concerning PROPCNTL?    I am looking to see if it can show me potential instances I should create PROPCNTL profiles.

From what I can tell it seems the data may not be present.

------------------------------
Linnea Sullivan
------------------------------