Where NJE jobs are verified

The following is a simple network showing the path of a job.

Submitting node passes a job to the store-and-forward node which in turn passes the job to the execution node

User verification for NJE jobs normally is done at the execution node. However, RACF® authorization checking might occur additionally at the submitting node, depending on the following:

Those jobs sent using the JES2 /*ROUTE XEQ statement or /*XEQ statement are verified at the execution node only.
Those jobs sent using the JES2 /*XMIT statement or the JES3 //*ROUTE XEQ or //XMIT statement have their first JOB statement verified at the submitting node and their second JOB statement verified at the execution node.

Submitter information is propagated from trusted nodes. The submitter information is:

The token for a verified first job card
The original submitter's token if the job was submitted from an internal reader
The unknown user token if the job was submitted from a physical reader
NJE header information (no token available) if the job was submitted from a downlevel node

Whether a job is accepted is based on a combination of the submitter's ID, group, or security label. Whether security information is propagated and translated is based on the submitter's ID (as taken from above). Job acceptance and translation is done using profiles in the NODES class. RACF finds the best fit among the profiles in the NODES class and uses the information specified in the UACC and ADDMEM information.

For more information, refer to Authorizing network jobs and SYSOUT (NJE).