Job descriptions

A job description is a valuable tool for security and work management.

You can also set up a job description for a group of users who need the same initial library list, output queue, and job queue. You can set up a job description for a group of batch jobs that have similar requirements.

A job description also represents a potential security exposure. In some cases, a job description that specifies a profile name for the USER parameter can allow a job to enter the system without appropriate security checking. Controlling how jobs enter the system discusses how this can be prevented for interactive and communications jobs.

When a batch job is submitted, the job might run using a different profile other than the user who submitted the job. The profile can be specified on the SBMJOB command, or it can come from the USER parameter of the job description. If your system is at security level (QSECURITY system value) 30 or lower, the user submitting a job needs authority to the job description but not to the user profile specified on the job description. This represents a security exposure. At security level 40 and higher, the submitter needs authority to both the job description and the user profile.

For example:
  • USERA is not authorized to file PAYROLL.
  • USERB has *USE authority to the PAYROLL file and to program PRLIST, which lists the PAYROLL file.
  • Job description PRJOBD specifies USER(USERB). Public authority for PRJOBD is *USE.
At security level 30 or lower, USERA can list the payroll file by submitting a batch job: 
SBMJOB RQSDTA("Call PRLIST") JOBD(PRJOBD) +
                       USER(*JOBD)

You can prevent this by using security level 40 and higher or by controlling the authority to job descriptions that specify a user profile.

Sometimes, a specific user profile name in a job description is required for certain types of batch work to function properly. For example, the QBATCH job description is shipped with USER(QPGMR). This job description is shipped with the public authority of *EXCLUDE.

If your system is at security level 30 or lower, any user on the system who has authority to the Submit Job (SBMJOB) command or the start reader commands, and has *USE authority to the QBATCH job description, can submit work under the programmer (QPGMR) user profile, whether the user has authority to the QPGMR profile. At security level 40 and higher, *USE authority to the QPGMR profile is also required.