Question & Answer
Question
How do you prevent a job from being put into the Tivoli Workload Scheduler (TWS) database if the logon ID that is specified is root?
Cause
Security audit requirements
Answer
Utilize the dumpsec command to create a text file that has the current security stanzas.
$ dumpsec > mysec
Modify the resultant file and add an entry that specifies that a job cannot be created with the logon id of root.
job cpu=@+logon=root access=display
Use the makesec command to put the new security file into effect.
$ makesec mysec
Attempt to create a job with the streamlogon id set to root and the result should look like this:
"/opt/IBM/TWA/TWS/tmp/TWSUgsnqa", line 8: **ERROR**(7) AWSDEJ005E
Doing MODIFY on JOB, access not granted.
The error message returned is:
"AWSJCO026E User "twsuser" is not authorized to perform the action "ADD" on an object "Job" and key "jd=MDM#NOROOT".
NOTE: This solution is only to prevent a job from being inserted into the database if the streamlogon id is set to root.. If there is a job with root as the streamlogon id in the database already then this change will not prevent that job from being added to the plan or from being adhoc submitted into the plan.
Product Synonym
Maestro;TWS;TWA
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21258441