Gets JCLCheck message "CAY6329S  ACCESS DENIED TO 'PROD.LOADLIB' BY SECURITY, RC = 8 ACCESS LEVEL =  READ FOR ACID = 'USER1'

USER1 is the id of the user that submits the JCLCheck job.   

The validating JCL has "USER=USER2" on the JOB statement.  Why is USER2 not used for all security validation?  

Product: JCLCheck Workload Automation

Release 12.0 

The following messages are displayed in the JCLCheck Report 6:  

CAY6320I  USER  'USER2  /USER2' VIRTUAL SIGNON TO CAISSF COMPLETE
CAY6329S  ACCESS DENIED TO 'PROD.LOADLIB' BY SECURITY, RC = 8 ACCESS LEVEL =  READ FOR ACID = 'USER1'

Explanation: 

. Message CAY6320I confirms that the id of USER2 is used for security validation. 

. The id of USER2 is used to verify access on all the files (i.e., third party check). 

. The id of USER2 is not used to access the contents of a file, for example, to open and read the load library to verify that a module exists. 

. To access the contents of a loadlib, proclib, or control cards lib, the ID that the JCLCheck job runs under is used.  In this case USER1 runs the JCLCheck job, and USER1 does not have READ access to PROD.LOADLIB, hence error CAY6329S is issued.  

Solution: 

. Allow the id of USER1 READ access to the data set name in question

or

. Use the Alternate User ID feature of JCLCheck

Alternate User ID Feature

To prevent JCLCheck from creating a security exposure at a site, JCLCheck imposes certain limitations on security prevalidation. JCLCheck does not do a security signon as another user and run under that user's security environment because this creates a security exposure. This is not allowed. The result is that the standard security environment applies to any user executing JCLCheck. For example, suppose a user runs JCLCheck and the CTLSCAN option is active; this option forces JCLCheck to read and interpret the control statements of utility programs, such as IDCAMS. If you do not have at least read access to the control statement input file, JCLCheck issues the message CAY6329E, ACCESS DENIED TO LIBRARY BY SECURITY and does not attempt to open the file. The system 913 ABEND does not occur.

The following are reasons for CAY6329E messages:
. The PXREF option is on and you do not have read access to a STEPLIB, JOBLIB, LINKLIST, or to a library in the JCL that has a member name in parentheses.
. The CTLSCAN option is on and you do not have read access to the library containing the control statements.
. JCLCheck is attempting to expand a cataloged procedure and the user does not have read access to a proclib defined to JCLCheck.
. JCLCheck can use the sample MBRCHKX exit, member CAZ1XSEC in CAZ2SRC to bypass opening a file for the PXREF and CTLSCAN options.

Reference: Security Prevalidation - Interface Limitations