Users who submit jobs using NATRJE under Com-Plete are having their JCL kicked out with an error if the 1st position of their RACF User ID is not alphabetic. :?
The error message is “IEF647I FIRST CHARACTER OF NAME NOT ALPHABETIC OR NOT NATIONAL IN THE USER FIELD ”
It appears that Com-Plete or RJE is automatically inserting a generated ACEE statement after the 1st job card. This only occurs under Com-Plete - not with CICS. The card looks like:
// PASSWORD=,USER=5AB,GROUP=A0BC
Can the ULSRRJE user exit be used to strip out this generated card? Has anyone coded this userexit to remove this line and would be willing to share the code? We don’t have easy access to Assembler programmers to write one and sure would appreciate the code!
If the user exit can not address this, can anyone offer a solution that does not involve assigning new user ids to hundreds of users?
Nope, Chris, you will NOT get control in ULSRRJE to delete the USER= parm, you’ll need to supply an “empty” USER= on the JOB (or a continuation) statement, or insert it by an ULSRRJE.
I’ve been contributing on the related SAG-L thread.
Why is a USER= being inserted? NPR doesn’t do it. The SAF default if there is no USER= on the job card is to use the userid in the ACEE pointed to by TCBSENV or ASCBENV.
I remember a long time ago there were issues in this area, but nowadays there should be no need to insert a USER= in COM.
Ray, your original suspicion was correct. I heard back from Support that APPLYMOD=83 will suppress the credential card. The description threw us off the trail as it’s listed as: “Don’t keep Password for RJE”
Note that activating this applymod in RACF environments that require the user card will break NATRJE submissions. However in our environment, this is not a problem so problem solved!
They also mentioned that the ‘extra credentials’ are added as a combination of COM and RACF.
That’s correct, AM 83 being ON suppresses insertion of all 3 parms (user, password, group).
With ACF2 and TOP-Secret the story is a bit different, as mentioned in the applymod description, essentially the ACEE pointer is being passed rather than the user / password.
Ray, this may indeed be of historic nature nowadays, back then if there was no USER on the JCL, the job would run with the authority of the user assigned to the COM-PLETE region, which usually is undesirable.
Yes, this sounds like 4.3 or 4.4 days, when TCBSENV was not populated with the user’s ACEE by COM. I think this changed in 4.4 or 4.5.
I remember documentation in one of the COM manuals specifically for TOP-SECRET and ACF2 that required you to change certain options so that TCBSENV was honoured. IIRC, RACF always honoured TCBSENV if set.
I do believe this is a security exposure nowadays; could you please ask Steffan K. if he can change it so that 83 is now set on always by default.
