How to Use CA JCLCheck › Setting-Up Security › Alternate User ID › Setup

Setup

Two CA JCLCheck options are available to control the use of the alternate user ID feature, they are SIGNON and NOSIGNON.

SIGNON uses the current user ID and makes that ID the current user for the processing duration of the job. You can establish the user ID in the following ways:

• You can specify the USER option to CA JCLCheck. When the USER option is present, this ID applies to all jobs processed in this CA JCLCheck run. The ID also overrides any user IDs that are specified in the JCL being validated.
• You can define user IDs in the JCL being validated. The most common is the specification of USER= on the JOB card. If you are using the ACF2 option, the ID can also come from one of the ACF2 specific comment cards, such as //*LOGONID user_id.

Each time a JOB card is processed, the user changes to the current user ID when it has changed. The job is validated using the ID that CA JCLCheck originally ran with when the USER option is not in use and the JCL contains no user ID. When all jobs have been processed, the ID is re-established to the original user.

You can use the SIGNON option only when CA JCLCheck is APF authorized.

NOSIGNON prevents the SIGNON option from being used. If NOSIGNON is specified, it overrides the SIGNON specified in JCKDFLT or at execution.

Note: Placing NOSIGNON in the JCLDFLT does not prevent use of the SIGNON.

For data centers that want to prevent the use of SIGNON, it is recommended SIGNON be added to the CAZ2JOEL. For more information, see the Installation Considerations.

Example: Validate JCL that is Run Under a Different User ID

In the following JCL, USER1 wants to validate JCL that is run under the ID of USER2. The JCL specifies USER2 on the JOB card USER= parameter. Typically, USER1 does not have access to the library specified in the JCLLIB statement, which contains the VALPROC procedure. The library specified in the SYSIN statement is also not typically accessible by USER1.

//TESTJOB JOB …,
//  USER=USER2
//PROC     JCLLIB ORDER=DEV.DEPT.TEST.PROCLIB
//JS10     EXEC  VALPROC
//SYSPRINT  DD  SYSOUT=*
//SYSUT3    DD  UNIT=VIO,SPACE=(CYL,(2,1))
//SYSUT4    DD  UNIT=VIO,SPACE=(CYL,(2,1))
//SYSIN     DD  DSN=USER2.JCL.CNTL(XXX),DISP=SHR 

The following JCL shows the results when the SIGNON option is enabled. The JOB card contains a USER=USER2 parameter. The CAY6636I message indicates that the user ID changed to USER2. No error messages occur for the PROCLIB or SYSIN control cards.

//TESTJOB JOB  …,
//  USER=USER2
CAY6636I SWITCHING SECURITY USERID TO 'USER2'
CAY6111I JOBNAME ON JOBCARD 'TESTJOB' DOES NOT MATCH PDS MEMBER NAME
         'SECJOB2'

CAY6000 1 STATEMENTS FLAGGED IN JOB 'TESTJOB' MAXIMUM SEVERITY WAS 0
CAY6636I SWITCHING SECURITY USERID TO 'USER1'

The following JCL shows the results when the SIGNON option is not enabled.

//TESTJOB JOB …,
//  USER=USER2
CAY6111I JOBNAME ON JOBCARD 'TESTJOB' DOES NOT MATCH PDS MEMBER NAME
         'SECJOB2'

//PROC     JCLLIB ORDER=DEV.DEPT.TEST.PROCLIB
CAY6329E ACCESS DENIED TO 'DEV.DEPT.TEST.PROCLIB’ BY SECURITY, RC = 8 ACCESS
         LEVEL =  READ FOR ACID = 'USER1'

//JS10     EXEC   VALPROC
CAY6027E PROCEDURE 'VALPROC' NOT FOUND

00201005//SYSIN     DD  DSN=USER2.JCL.CNTL(XXX),DISP=SHR
CAY6329E ACCESS DENIED TO ‘USER2.JCL.CNTL’ BY SECURITY, RC = 8 ACCESS
         LEVEL =  READ FOR ACID = 'USER1'
CAY6329E ACCESS DENIED TO ‘USER2.JCL.CNTL’ BY SECURITY, RC = 8 ACCESS
         LEVEL =  READ FOR ACID = 'USER1'

CAY6000 4 STATEMENTS FLAGGED IN JOB 'TESTJOB' MAXIMUM SEVERITY WAS 8