Prevent TWS job creation if streamlogon ID is root

Question & Answer

Question

How do you prevent a job from being put into the Tivoli Workload Scheduler (TWS) database if the logon ID that is specified is root?

Cause

Security audit requirements

Answer

Utilize the dumpsec command to create a text file that has the current security stanzas.

$ dumpsec > mysec

Modify the resultant file and add an entry that specifies that a job cannot be created with the logon id of root.

job cpu=@+logon=root access=display

Use the makesec command to put the new security file into effect.

$ makesec mysec

Attempt to create a job with the streamlogon id set to root and the result should look like this:

"/opt/IBM/TWA/TWS/tmp/TWSUgsnqa", line 8: **ERROR**(7) AWSDEJ005E

Doing MODIFY on JOB, access not granted.

The error message returned is:

"AWSJCO026E User "twsuser" is not authorized to perform the action "ADD" on an object "Job" and key "jd=MDM#NOROOT".

NOTE: This solution is only to prevent a job from being inserted into the database if the streamlogon id is set to root.. If there is a job with root as the streamlogon id in the database already then this change will not prevent that job from being added to the plan or from being adhoc submitted into the plan.

[{"Product":{"code":"SSGSPN","label":"IBM Workload Scheduler"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.6;9.1;9.2;9.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

Maestro;TWS;TWA

Was this topic helpful?

Document Information

Modified date:
17 June 2018

UID

swg21258441

Tips