10.43 What do we do about passwords in job streams? I am concerned foremost with good security: I want to let people do their jobs without getting in their way, and present anyone else with a brick wall.
You need to consider the STREAM, JOBSECURITY and ALTSEC commands.
You only need eXecute access to jobstreams, UDCs, and command files. This allows for embedded passwords without read access.
You can enable (JOBSECURITY) the streaming of jobs under your logon ID without passwords in the jobstream. By extension, AM users can stream jobs as any user of the account. SM can stream any job period (speaking in terms of the :job user.acct logon ID not requiring passwords).
You can enable the streaming of job files whose creator is the same as the :job logon ID, and you have permission to stream the file. With the latter extension, you can allow job submission of "powerful" jobs without passwords, provided you give access to the jobstream. This means jobstreams can reside anywhere on the system, and you can
:altsec foo;newacd=(x:username)
to allow username to stream the files (provided the logon user.acct is the creator of the file). This allows for much more flexibility.