USER Parameter

Purpose

The USER parameter specifies the user ID under which a job will run. This parameter allows jobs to execute with the security privileges and access rights of a specified user, which might be different from the submitting user. The USER parameter is typically used in conjunction with the PASSWORD parameter for authentication.

Syntax

JOB Statement Format

jcl

1
//jobname JOB parameters,USER=userid

Parameter Value

userid

1-8 character user identification defined to the security system (RACF, ACF2, or Top Secret)
Must be a valid user ID in the security system
Case-sensitive in most environments
Typically requires a corresponding PASSWORD parameter (except when surrogate authority is used)

Security Note:

Modern security best practices recommend using surrogate user functionality (where authorized users can submit jobs for other users without specifying passwords) instead of including passwords in JCL.

Usage Examples

Basic Usage with PASSWORD

jcl

1
2
//PAYROLL JOB (ACCT#),'JOHN DOE',
//         USER=PAYUSR01,PASSWORD=SECRET42

This job will run under the user ID PAYUSR01 with the password SECRET42 for authentication.

With SECLABEL Parameter

jcl

1
2
3
//REPORT JOB (ACCT#),'JOHN DOE',CLASS=A,
//         USER=REPTUSR,PASSWORD=PASS123,
//         SECLABEL=CONFID

This job will run under the user ID REPTUSR with the security label CONFID, controlling access to classified information.

Security Considerations

Authentication Methods

The USER parameter can be used with different authentication methods:

Method	Description	Security Considerations
PASSWORD parameter	Traditional method using cleartext password	Least secure; passwords visible in JCL
RACF Surrogate Authority	Submitting user authorized to run jobs as target user	No passwords exposed; controlled through security profiles
Passtickets	One-time use generated credentials	More secure than static passwords; time-limited
Automated Job Submission	Job scheduler securely manages credentials	Credentials managed by scheduler, not in JCL

Surrogate User Configuration

In RACF, surrogate authority is configured using profiles in the SURROGAT class:

text

1
2
3
RDEFINE SURROGAT userid.SUBMIT UACC(NONE)
PERMIT userid.SUBMIT CLASS(SURROGAT) ID(surrogate-userid) ACCESS(READ)
SETROPTS RACLIST(SURROGAT) REFRESH

This allows surrogate-userid to submit jobs with USER=userid without specifying a password.

Common Use Cases

Production Job Execution

Running production jobs under dedicated user IDs with specific permissions
Segregating production workloads from development and test environments
Maintaining proper audit trails through job-specific user IDs

Administrative Tasks

Performing system maintenance under privileged user IDs
Running utilities that require elevated permissions
Executing scheduled tasks that access protected resources

Multi-Environment Deployments

Using different user IDs for the same job in different environments
Managing separation of duties across development, testing, and production
Controlling access to sensitive data in higher environments

Best Practices

Avoid storing passwords in JCL - Use surrogate authority or job scheduling tools instead
Create dedicated functional user IDs for different application functions
Follow the principle of least privilege - Give user IDs only the permissions they need
Regularly audit user ID usage to ensure proper access controls
Implement role-based access control aligned with job functions
Document the purpose and permissions of each user ID used in JCL
Review security settings periodically to ensure continued compliance

Troubleshooting

Common Issues

Issue	Possible Solution
Authentication failure	Verify user ID and password are correct; check if the user ID is expired or revoked
Access denied to resources	Ensure the user ID has appropriate permissions for datasets and resources used in the job
Surrogate authority not working	Check SURROGAT class profiles and permissions; ensure SURROGAT class is active
Job fails in specific environments	Verify user ID exists and has the same permissions across all environments

Security Messages

Common security-related messages you might encounter:

ICH408I USER(userid) ... INSUFFICIENT ACCESS AUTHORITY - Access denied to a protected resource
ICH408I USER(userid) ... PASSWORD NOT AUTHORIZED - Invalid password provided
ICH408I USER(userid) ... SURROGAT CLASS PROFILE NOT FOUND - Missing surrogate authority configuration

JES2 and JES3 Considerations

The USER parameter behavior is generally consistent between JES2 and JES3 environments:

Both JES2 and JES3 rely on the system security product for authentication
Surrogate functionality is implemented through the security product, not JES
Some job scheduling features may interact differently with the USER parameter

Related Concepts

JOB Statement - The statement where USER is specified
PASSWORD Parameter - Often used with USER for authentication
GROUP Parameter - Specifies the security group for the job
SECLABEL Parameter - Specifies the security label for the job