Basic Definition Mode

When Control‑M submits a job, the following checks are made:

1. The user ID specified in the owner field of the job definition is authorized to read the JCL library. The CLASS checked is DATASET; the entity checked is the JCL library name. To allow a user to access a JCL library, use one of the following commands, as appropriate:

   For RACF:

   PERMIT jcl‑library‑name ACC(READ) ID(USERA)

   For TSS:

   TSS PERMIT (USERA) DSN(jcl-library-name) ACC(READ)

   For ACF2/SAF:

   COMP
   $KEY(jcl-library-name)
   UID(USERA) ALLOW

2. If the job statement does not contain parameter USER (or the JCL does not contain a //*JOBFROM statement when ACF2/SAF is in use), parameter USER is added to the job statement and set to owner.

   For RACF, parameter GROUP can optionally be added to the job statement and set to the RACF default group.

   If the USER parameter exists in the JCL job statement, and the user ID or //*JOBFROM value (for ACF2 users) specified is not same as the owner of the job definition, and the MSUBCHK parameter is set to N (No), the job submission is canceled.

   If the USER parameter exists, the user ID specified is not the same as the owner, and parameter MSUBCHK is set to Y (Yes), the class checked is
   [SURROGAT | ACIDCHK | CMF] and the entity checked is
   [cl-userid.SUBMIT | the JCL user ID | $SUBMIT.cl-userid].

   userid is the user ID assigned to the job being submitted.

   For started tasks, no security checks are performed, because no distinction is made between the authority to start a started task and the authority to order a started task. The user’s authority is already verified by the CTMSE01 module.