CA JCLCheck WA requires READ access to all input sources on the validating JCL. By default, the userid submitting the CA JCLCheck WA job will be used for security prevalidation. This Knowledge Document describes the effect of using the SECURITY and USER options and what error messages to expect when security prevalidation fails.
CA JCLCheck performs security prevalidation for security products such as CA ACF2, CA Top Secret, and IBM RACF. There are two phases of security check in CA JCLCheck:
Phase 1 runs under the security ID of the caller that initiated the CA JCLCheck job. The security system must allow CA JCLCheck READ access to all input sources such as JCL, procedure libraries, utility control members, catalogs, joblib, steplib, linklist libraries etc.
Phase 2 works the same as phase 1, unless the CA JCLCheck runtime option SECURITY is used.
If the SECURITY option is specified, this phase will run under the following security id:
(If USER= is coded on the JOB statement, and the CA JCLCheck runtime option USER(uid) is also specified, the runtime option USER(uid) takes precedence. If neither is present, the security id used in phase 1 is also used in phase2.)
If a security violation is found during phase 1, error message "CAY6329W ACCESS DENIED TO dataset name BY SECURITY RC=nn ACCESS LEVEL=READ FOR ACID=userid" is issued.
If a security violation is found during phase 2, error message CAY6321W POTENTIAL SECURITY VIOLATION DETECTED text ACID=userid" is issued.
To prevent USERID suspensions caused by security violations, use option SECURITY(NOLOG).