Up to version 10 it’s always the user which runs the Agent STC, which needs the READ or ALTER permission in the z/OS security system (most likely RACF), because this user is used to read or write the datasets.
It is possible to use the “askRACF” parameter in the INI setting of the Agent, to enable a check if the user specified in the LOGIN object has the needed permissions as well. This is realized by a check via the RACROUTE macro, before the execution on the transfer.
http://docs.automic.com/documentation/AE/11.2/english/AE_WEBHELP/help.htm?product=awa#ucaame.htm?Highlight=askracf
As of version 11 it’s possible to execute the transfer with the user specified in the LOGIN object. That means the read or write of files is done by the login user and the Agent STC user doesn’t need the permissions any more.
It is possible to active the new behavior with the “ft_thread_level_security” parameter in the INI settings.
http://docs.automic.com/documentation/AE/11.2/english/AE_WEBHELP/help.htm?product=awa#ucaame.htm?Highlight=ft_thread_level_security