On a system running ACF2, how can a batch job be submitted by a logged-on user but ran with a different user without having to specify a password on the job card? i.e. just USER=
What is the RESTRICT attribute on the logonid?
Release : 16.0
Component : CA ACF2 for z/OS
RESTRICT specifies that the logonid is intended for production batch use (not for online or STC use) and does not require a password. By itself, this privilege makes a logonid vulnerable to unauthorized use, and is not suitable for production work (but could be used for a batch default logonid with limited read/write/alloc access).
To set up the use of RESTRICT, the logonid used for the USER= or //*LOGONID must have the RESTRICT attribute. Use the following commands
Set LID
CHANGE lid RESTRICT
When CA ACF2 reads the restricted logonid it will validate the access by the restricted logonid and create a logging record. The ACFRPTJL report displays a log of all system accesses by logonids with the RESTRICT field.
For example, if I have a logonid ABCDE123 with the RESTRICT attribute and I mention USER=ABCDE123 it will execute;
12.06.10 JOB06069 ---- MONDAY, 25 NOV 2019 ----
12.06.10 JOB06069 $HASP373 MYID1234A STARTED - INIT 1 - CLASS A - SYS
12.06.10 JOB06069 ACF9CCCD USERID ABCDE123 IS ASSIGNED TO THIS JOB - MYID1234A
12.06.10 JOB06069 IEF403I MYID1234A - STARTED - TIME=12.06.10
12.06.10 JOB06069 IEF404I MYID1234A - ENDED - TIME=12.06.10
12.06.10 JOB06069 $HASP395 MYID1234A ENDED - RC=0000
However, when I submit the same job with a logonid ABCDE124 that does not have the RESTRICT attrubte it will receieve error 'ACF01007 A PASSWORD IS REQUIRED FOR LOGONID ABCDE124 xxxxxx' and not execute:
//MYID1234A JOB (11830000),'OS/MVS',MSGCLASS=X,MSGLEVEL=(1,1),
// NOTIFY=MYID1234,TIME=1439,CLASS=A,USER=ABCDE124
//* ACF01007 A PASSWORD IS REQUIRED FOR LOGONID ABCDE124 xxxxxx
// EXEC PGM=IEFBR14
/*
$HASP106 JOB DELETED BY JES2 OR CANCELLED BY OPERATOR BEFORE EXECUTION
Note that enhancement PTF LU05334 adds functionality to further secure the RESTRICT logonid by allowing SURROGAT class rules to be used for these ids.