JES normally validates SYSOUT based on the owner's security information. The owner's security information accompanies each piece of SYSOUT as it travels through the network.

You can define profiles that cause RACF® to assign ownership of the SYSOUT to the submitter. For example, you can allow a user to submit a job to another node, have the job execute under another user ID, and allow the submitting user to view the output on its return.

To translate inbound SYSOUT ownership to the submitter, specify &SUSER as the value on the ADDMEM operand of the NODES profile.

This works with potentially multiple NODES profiles as follows:

First, the NODES profile is used that matches the form execution-node.USERS.userid. If the UACC is not NONE and the ADDMEM is &SUSER, a check is made to see if the submitter is set up to be the owner. If the submit node is found to be a member of the RACFVARS &RACLNDE profile, the submitter user ID and group are associated with the SYSOUT without change. This is because the submit node is considered local.

If the submit node is not local in this way, a second NODES profile that matches the form submit-node.USERS.submitter-id is used; and, if the UACC is CONTROL and there is an ADDMEM value, the submitter values are associated with the SYSOUT. If the ADDMEM value is not &SUSER, the ADDMEM value is used as the SYSOUT owner user ID.

If the ADDMEM is &SUSER, the original submitter is used as the SYSOUT owner user ID. The second NODES profile cannot be used to purge SYSOUT. The first NODES profile has already established the level of trust and the second NODES profile is used only for determining the owning user ID of the SYSOUT. A UACC of NONE on the second NODES profile assigns the ???????? user ID. For more details, see Table 1.

When associating the submitter with the SYSOUT in the non-local case, a third NODES profile can be used that matches the form submit-node.GROUPS.submit-group. If this profile exists and has an ADDMEM value, the ADDMEM value is used as the SYSOUT owner group, regardless of the UACC. Otherwise, the original submit group is associated with the SYSOUT. Verification of the SYSOUT continues with the owner values altered as described above.