GROUP Parameter

Purpose

The GROUP parameter specifies the security group under which a job will run. This parameter allows jobs to execute with the security privileges associated with a specified group, which may provide access to resources not available to the user's default group. The GROUP parameter is typically used in conjunction with the USER parameter when a user needs to run a job with group-specific permissions.

Syntax

JOB Statement Format

jcl

1
//jobname JOB parameters,GROUP=groupname

Combined Format with USER

jcl

1
//jobname JOB parameters,USER=userid,PASSWORD=password,GROUP=groupname

Parameter Value

groupname

1-8 character group name defined in the security system (RACF, ACF2, or Top Secret)
Must be a valid group to which the specified USER or submitting user belongs
Case-sensitive in most environments
If omitted, the user's default group is used

Important:

The GROUP parameter is only meaningful if the specified user is connected to multiple groups in the security system. If the user belongs to only one group, that group is always used regardless of the GROUP parameter.

Usage Examples

Basic Usage with USER

jcl

1
2
//PAYROLL JOB (ACCT#),'JOHN DOE',
//         USER=PAYUSR01,PASSWORD=SECRET42,GROUP=PAYROLL

This job will run under the user ID PAYUSR01 with the PAYROLL group for resource access permissions.

With SECLABEL Parameter

jcl

1
2
3
//REPORT JOB (ACCT#),'JOHN DOE',CLASS=A,
//         USER=REPTUSR,PASSWORD=PASS123,
//         GROUP=FINANCE,SECLABEL=CONFID

This job will run under the user ID REPTUSR with the FINANCE group and the security label CONFID.

Security Concepts

Group-Based Access Control

In mainframe security systems, group membership plays a key role in access control:

Users are connected to one or more security groups
Each user has a default group that is used if no GROUP is specified
Resource access can be granted to groups rather than individual users
The GROUP parameter allows selection of an alternate group for a specific job

RACF Group Structure

In RACF, groups have a hierarchical structure:

Groups can have subgroups
Group ownership affects resource creation and management
Group-SPECIAL authority provides administrative control within a group scope
The GROUP parameter selects a specific group in the hierarchy

Common Use Cases

Role-Based Access Control

Running jobs with different functional roles (e.g., ADMIN, OPERATOR, DEVELOPER)
Accessing role-specific resources without changing user profiles
Implementing separation of duties through group membership

Multi-Department Access

Users who work across multiple departments (e.g., IT support staff)
Accessing department-specific resources based on the current task
Maintaining audit trails of cross-department access

Temporary Elevated Access

Running specific administrative jobs with temporarily elevated permissions
Scheduled maintenance tasks requiring higher access levels
Emergency procedures requiring special resource access

Implementation Details

Security Product Implementations

Security Product	Implementation
RACF	Uses the CONNECT command to associate users with groups GROUP parameter selects from connected groups Hierarchical group structure
ACF2	Uses logonids and group associations Non-hierarchical group implementation GROUP parameter maps to ACF2 group concept
Top Secret	Uses departments and divisions GROUP parameter maps to Top Secret structures May involve department/division selection

Group Connection Requirements

For the GROUP parameter to work:

The specified user must be connected to the group in the security system
The connection must be active (not revoked)
The user must have sufficient authority to use the group
In some cases, special privileges may be required to switch groups

Best Practices

Design a clear group structure aligned with organizational roles and functions
Document group purpose and permissions to ensure appropriate usage
Implement the principle of least privilege when granting group access
Regularly audit group membership to ensure continued appropriateness
Use GROUP consistently across related jobs in a job stream
Consider using specific job-related groups rather than general-purpose groups
Review security logs for GROUP usage to detect potential misuse

Troubleshooting

Common Issues

Issue	Possible Solution
GROUP parameter ignored	Verify the user is connected to the specified group; check security system configurations
Access denied despite GROUP	Ensure the group has proper access to required resources; check resource access control lists
GROUP not recognized	Verify the group name is correct and exists in the security system
Inconsistent behavior	Check for differences in group structure or connections across environments

Security Messages

You may encounter these security-related messages:

ICH408I USER(userid) ... NOT AUTHORIZED TO GROUP(groupname) - User not connected to specified group
ICH408I USER(userid) ... INSUFFICIENT ACCESS AUTHORITY - Group lacks necessary permissions

JES2 and JES3 Considerations

The GROUP parameter behavior is consistent across JES2 and JES3 environments:

Both JES2 and JES3 pass the GROUP parameter to the security system
The security product, not JES, controls group validation and access
JES job scheduling and execution are affected by group permissions

Related Concepts

JOB Statement - The statement where GROUP is specified
USER Parameter - Specifies the user ID under which the job runs
PASSWORD Parameter - Used with USER parameter for authentication
SECLABEL Parameter - Specifies the security label for the job