z/OS JES2 Initialization and Tuning Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Understanding default userids

z/OS JES2 Initialization and Tuning Guide
SA32-0991-00

RACF® assigns a default userid to all work that enter your node when:
  • SYSOUT enters from a non-JES2 system, unless translated to a valid userid by a NODES class profile
  • Your node is an intermediate (store-and-forward) node on the path to the work's final destination. The default userid protects work while it resides on spool awaiting transmission.

RACF uses eight question marks (????????) as the userid for all inbound work meeting the above criteria. Your security administrator can assign a different userid using the RACF SETROPTS command. For example, if you want to process any of these jobs locally, you can define a single userid to which all of these undefined userids are translated. You can then permit that translated userid to specific resources. You can not directly permit the default userid (either IBM-supplied or installation-defined) to any resources. See z/OS Security Server RACF Security Administrator's Guide about defining default userids for NJE work that meet the criteria.

Table 1. NODES Class Keywords, UACC, and SYSOUT Ownership when Execution Node is Not Defined to &RACLNDE - User ID and node that created SYSOUT
Type of check (keyword) UACC
NONE READ UPDATE CONTROL or greater
userid (USERS) Check of User ID and Node that Created SYSOUT
Purges the output. If the translation value from ADDMEM specifies &SUSER, check submitting userid and node.

Otherwise, assigns ownership of the output to ????????.

 If default or no security information is available, processing is the same as a UACC of READ.

If security information is valid, assigns the translation value from ADDMEM to the output. When ADDMEM is not specified, ownership is assigned to the userid that created the output.

 Processing is similar to UACC(UPDATE) except RACF translates any available information. This allows RACF to assign local user IDs to output from pre-SP3.1.3 nodes.
Note:
  1. If the node ID is specified in the RACFVARS profile named &RACLNDE, the node is treated as a locally attached node and RACF verifies the supplied security information.
  2. Use the 'node.RUSER.userid' NODES class profile to provide command authority at your installation.
Table 2. NODES Class Keywords, UACC, and SYSOUT Ownership when Execution Node is Not Defined to &RACLNDE - Submitting user ID and node
Type of check (keyword) UACC
NONE READ UPDATE CONTROL or greater
userid (USERS) Check of Submitting Userid and Node (only when &SUSER is specified for ADDMEM in execution node profile)
Assigns ownership of the output to ????????. Assigns ownership of the output to ????????. Assigns ownership of the output to ????????. Assigns the translation value from ADDMEM to the output, if available.   If translation value is &SUSER, assigns the submitter userid to the output.  Otherwise, assigns ownership of the output to ????????.
groupid (GROUPS) Purges the output Translates GROUPID to that specified in ADDMEM. If ADDMEM is not specified, uses the groupid received.
security label (SECLS) Purges the output Translates SECLABEL to that specified in ADDMEM. If ADDMEM is not specified, uses the security label received.
Note:
  1. When you specify &SUSER for ADDMEM and the submitting node is defined to &RACLNDE, ownership is assigned to the submitter.
  2. If the nodeid is specified in the RACFVARS profile named &RACLNDE, the node is treated as a locally attached node and RACF verifies the supplied security information.
  3. Use the 'node.RUSER.userid' NODES class profile to provide command authority at your installation.
Parent topic: Authorizing networking jobs and SYSOUT (NJE)

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014