The ACF2 GSO STC record can be used to allow a started task to run under a logonid without the STC logonid privilege. This will allow the ARSSOCKU started task to run under the ARSSOCKU logonid(without the STC privilege) and allow the ARSLOAD job to run under the ARSSOCKU logonid as well.
The ACF2 GSO STC record assigns a logonid and optional groupid based on the started task ID. It can also be used to allow a logonid like ARSSOCKU which is used by IBM's Content Manager for ONDEMAND to run as a STC under a logonid without the ACF2 logonid STC privilege as well as being used to run the batch ARSLOAD job.
The following can be done to change the existing ARSSOCKU logonid with the STC logonid privilege bit setting to a secure logonid that can be used for the started task and the ARSLOAD batch job.
- Remove the STC privilege from the ARSSOCKU LOGONID, add the RESTRICT, SUBAUTH and PROGRAM logonid fields to restrict(secure) how the logonid is used. From TSO, ACF:
CHANGE ARSSOCKU NOSTC RESTRICT SUBAUTH PROGRAM(pppppppp)
where pppppppp is the scheduling package's program, or the actual program that does the submit of the batch.
- Insert a GSO STC record that maps the STC name ARSSOCKU to logonid ARSSOCKU from TSO ACF:
INSERT STC.ARSSOCKU LOGONID(ARSSOCKU) STCID(ARSSOCKU)
- Change the scheduling package, or the ARSLOAD batch JCL to use the logonid ARSSOCKU.
Details on the ACF2 GSO STC record can be found in the CA ACF2 for z/OS Administrator Guide, Chapter 14: Maintaining Global System Options Records, section "Started Task (STC)".