CA JCLCheck : How to suppress ICH408I messages on Proclibs

Document ID : KB000101689
Last Modified Date : 25/06/2018
Show Technical Document Details
Introduction:
CA JCLCheck batch scan of a jcl automatically checks if the userid executing this job is authorized to access the PROCLIBs: 

- defined in JES procedure: ddname PROC00 for JES2, ddname IATPLBST for JES3 if AUTOPROC is in effect
or 
- defined with ALLOCATE statement for the JCHKPLIB file if AUTOPROC is not used.
The same check is also done for the //JCLLIB used in the jcl.

When Racf is present, it can happen that the following security errors are logged for the userid because it is not authorized to some of the PROCLIBs or JCLLIBs present in the jcl:

...
ICH408I USER(DPRRRR ) GROUP(IS0000  ) NAME(CACACA,III          )    
   AAAA.CICS.PROCLIB CL(DATASET ) VOL(*BLANK)                
   INSUFFICIENT ACCESS AUTHORITY                                     
   FROM .... (G)  
ICH408I USER(DPRRRR ) GROUP(IS0000  ) NAME(CACACA,III          )    
   CCCC.CICS.PROCLIB CL(DATASET ) VOL(*BLANK)                
   INSUFFICIENT ACCESS AUTHORITY                                     
   FROM .... (G)    
ICH408I USER(DPRRRR ) GROUP(IS0000  ) NAME(CACACA,III          )    
   FFFF.CICS.PROCLIB CL(DATASET ) VOL(*BLANK)                
   INSUFFICIENT ACCESS AUTHORITY                                     
   FROM .... (G)      
...                                    
 
Is it possible and how to suppress these  messages?
Environment:
Z/OS - CA JCLCheck - RACF Security Product 
Instructions:
It is possible to suppress the Security logging messages ICH408I running the batch scan with the Runtime Option 

SEC(NOLOG) 

This will suppress the Racf Security messages as it usually turns off logging of security violations, preventing USERID suspensions.
(DEFAULT MODE - Active Logging). 

Anyway the Jclchk batch scan joblog will still report a warning message for the library that cannot be accessed: 

- for a //PROCLIB the message will be: 

CAY6488W PROCLIB "proclibname" NOT DEFINED. READ ACCESS DENIED BY SECURITY 

- for a //JCLLIB the message will be : 

CAY6329E ACCESS DENIED TO "proclibname" BY SECURITY, RC = 8 ACCESS