z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


User ID propagation when jobs are submitted

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

For each previously validated RACF® user who submits a batch job to JES through a JES internal reader, SAF propagates the following security information to the batch job:
  • If USER is not specified on the JOB statement, the current RACF user ID is used.
  • If PASSWORD is not specified on the JOB statement, the current user password is not required if the submitter propagates.
  • If SECLABEL is not specified on the JOB statement, the submitter's current security label is used.
Note: If GROUP is not specified on the JOB statement, the default connect group is used from the user profile of the user used for the job.
This has the following advantages:
  • It reduces the possible exposure of security information (especially passwords) stored in clear text in JCL.
  • It reduces administrative overhead of maintaining RACF user IDs, passwords, and security labels in the JOB statements for all batch jobs.

As a result, a TSO user, for example, is not required to specify this security information for each job submitted.

Note: You can prevent user ID propagation for specific users. See Controlling user ID propagation in a local environment.
Parent topic: Providing security for JES

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014