Special Usage Considerations › Security Prevalidation › CA JCLCheck Security Checking
CA JCLCheck Security Checking
CA JCLCheck performs the following checks:
- The USER authority to access the system, which is based on the date and time of access and CPU. CA JCLCheck derives your ID from the JCL JOB statement or CA ACF2 //* LOGONID statement. If not available, it assumes the ID of the person running CA JCLCheck. However, you can override the user ID with the USER runtime option or with CAZ1SSFX, the security signon exit. The signon exit can override both the USER option and user ID found in the JCL.
- CA JCLCheck checks DASDVOL access, and if a user has appropriate access level to the DASD volume, it does not check DATASET level access levels. This is only applicable to CA ACF2 and CA Top Secret environments, and not to RACF. DASDVOL checking is not applicable for a data set in a RACF security environment.
- CA JCLCheck checks DATASET level access based on the following dispositions:
|
Disposition
|
Access Level
|
|
NEW
|
CREATE
|
|
MOD
|
CREATE
|
|
OLD
|
UPDATE then READ if UPDATE fails
|
|
SHR
|
UPDATE then READ if UPDATE fails
|
|
DELETE
|
SCRATCH
|
|
PASS
|
SCRATCH
|
|
CATLG
|
UPDATE to catalog volume
|
|
UNCTLG
|
UPDATE to catalog volume
|
With the preceding checks, most situations are covered. CA JCLCheck checks VSAM data sets for updates to the catalog volume. It does not check data set level access when there is no UCB for the unit specified.
Important! CA JCLCheck can only perform date and time-of-day checks if the security product is CA ACF2 r6.0 or above.
- CA JCLCheck checks PROGRAM access for the job-step level program. Program pathing (program access to data sets) is not supported for CA ACF2.
Note: With RACF, CA JCLCheck can only perform program resource checking when the program class is active under RACF.
By default, CA JCLCheck suppresses the message indicating that a program resource is not defined to security (return code 4 from SAF RACROUTE REQUEST=AUTH). If you require this information, specify the option SECURITY (PROGRAM(DEFINE)) at runtime.
- CA JCLCheck can only perform date and time of day checks if the security product is CA ACF2 r6.0 or above.
- Support for source restriction is not available.
- CA JCLCheck checks READ access to the DFSMS classes STORClas and MGMTClas if DFSMS is active for DISP=NEW/MOD data sets.
You must authorize CA JCLCheck for this validation to work.
Copyright © 2014 CA.
All rights reserved.
|
|