With CA Jobtrac Job Management, why do you see different CA GSS userids executing IMODS?

Document ID : KB000011188
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

With CA Jobtrac Job Management, why do you see different CA GSS userids executing IMODS?

Answer:

The message comes through module FAOGMSG. The length is passed(or calculated).

So, it is displaying what was passed.

This data comes from the IVT:

IVTUSEID DC CL8' '
IVTACEE DC A(0)

The ID comes from the Operating System assignment when the task is submitted(GSSxxxxx) and the ID from the RACF ACEE(GSSxxxx).

Talk with your RACF person to determine the differences and/or consult with IBM to determine any operational aspects.

According to the documentation:

IMODs executing in a CA GSS address space can access and update a variety of data sets and data areas. To prevent unauthorized activity, CA GSS supports system security software that is compatible with the IBM System Authorization Facility (SAF), that is compatible with the In z/OS, each task operates under control of an Accessor Environment
Element (ACEE), which controls access to all resources. SAF-compatible security software maintains the ACEE based upon a user ID and ensures that the necessary checks are provided.

CA GSS ensures that an appropriate ACEE is in place for each executing IMOD and that all services invoked on behalf of the IMOD execute under the scope of that ACEE.

CA GSS needs two valid user IDs for proper security enforcement:

The primary user ID assigned by the system to the CA GSS started task or job.

A user ID to use as a default ID for service requests that either have no associated user ID or for which CA GSS cannot determine the associated user ID.

You must define this user ID to your security software and define it to CA GSS through the SECURITY initialization parameter. Since this is the default user ID, it should be very limited in scope. See the CA Reference Guide for detailed information on CA GSS initialization parameters.

CA GSS User ID:

Many installations routinely do not assign a specific user ID to started tasks. CA highly recommends that you do assign one, at least for CA GSS.

CA GSS executes under its own user ID during initialization and when performing some housekeeping functions.

IMODs execute under authority of the CA GSS user ID when performing initialization and housekeeping functions, and when no other valid user ID can be determined.

So, if you do NOT supply a userid, a default id is picked up from the ACEE.

As always, please contact CA Technologies support for CA Jobtrac Job Management if you have further questions.