When Control‑M submits a job, the following checks are made:
For RACF:
PERMIT jcl‑library‑name ACC(READ) ID(USERA)
For TSS:
TSS PERMIT (USERA) DSN(jcl-library-name) ACC(READ)
For ACF2/SAF:
COMP
$KEY(jcl-library-name)
UID(USERA) ALLOW
For RACF, parameter GROUP can optionally be added to the job statement and set to the RACF default group.
If the USER parameter exists in the JCL job statement, and the user ID or //*JOBFROM value (for ACF2 users) specified is not same as the owner of the job definition, and the MSUBCHK parameter is set to N (No), the job submission is canceled.
If the USER parameter exists, the user ID specified is not the same as the owner, and parameter MSUBCHK is set to Y (Yes), the class checked is
[SURROGAT | ACIDCHK | CMF] and the entity checked is
[cl-userid.SUBMIT | the JCL user ID | $SUBMIT.cl-userid].
userid is the user ID assigned to the job being submitted.
For started tasks, no security checks are performed, because no distinction is made between the authority to start a started task and the authority to order a started task. The user’s authority is already verified by the CTMSE01 module.
Parent Topic |