We are attempting to use the UID feature of CA-7 to secure the jobs that users can demand via CA-OPS (ADDRESS CA7 and OPSCA7() function). We know that each of these methods results in a different ID being sent to CA-7. The OPSCA7() function sends the user id of the CA-OPS task while the ADDRESS CA7 sends the user id of the GSS task. We have everything set up in RACF and CA-7, performed the requisite refreshes and recycles. We set up 3 jobs in CA-7, one with UID 255, one with UID 001 and one with UID 000. When we attempt to demand in each job via CA OPS/REXX using each method here are the results we get:
JOB UID 255:
GSS: Fails (Expected but perhaps a false positive based on the UID 001 results)
OPS: Fails (Expected)
JOB UID 001:
GSS: Fails (Unexpected)
OPS: Success (Expected)
JOB UID 000:
GSS: Success (Expected)
OPS: Success (Expected)
We looked in the CA-7 log and noticed that the GSS demand of the UID 001 job did receive a denial based on UID but if we have everything set up correctly, and we did double check and triple check everything, why does CA-7 not allow the job to run? GSS does have access to the demand command as well as is evidenced by it being able to demand the UID 000 job in and our own eye balls in RACF. My question is what else could we be missing?
P.S. We do have a ticket open with CA regarding this issue but were wondering if any of the community had run into similar issues or had any ideas what rocks to look under.