Stigers, Gregory - ANDOVER wrote:
>
> As we continue to setup our development environment, SECURITY / 3000
> expired an account manager password, under which most job streams run
> (not a good idea for a lot of reasons). So we run into yet another
> classic MPE issue: what do we do about passwords in job streams?

[...many alternatives and workarounds snipped...]

As of 5.5 (powerpatch 1?) there are enhancements to the :stream command
and the :jobsecurity setting.  Namely, these allow:

* You only need eXecute access to jobstreams, UDCs, and command files
  now; which allows for embedded passwords without read access.  This
  has been in place for jobstreams for some time; UDCs/command files
  are a new extension.

* You can enable streaming jobs under your logon ID without passwords
  in the jobstream.  By extension, AM users can stream jobs as any
  user of the account, SM can stream any job period (speaking in terms
  of the :job user.acct logon ID not requiring passwords)

* You can enable streaming job files whose creator is the same as the
  :job logon ID, and you otherwise have permission to stream the file.

With the latter extension, you can allow job submission of "powerful"
jobs without passwords provide you give access to the jobstream.  In
cases where we used to have "powerful" jobstreams located somewhere in
SYS with access=(x:ac) to allow operators to stream them, they had to
have passwords imbedded.  With the new addition, they can reside
anywhere on the system, and you can :altsec foo;newacd=(x:operator.sys)
to allow them to stream the files (provided the logon user.acct is the
creator of the file).  This allows for a great deal more flexibility
without the previous third-party stream side effects.

Jeff Kell <[log in to unmask]>