CA 7 Workload Automation

The manager for our schedulers came to me today with the following issue:

There is a group of users (different departments control their own jobs) who have the authority to use both the DEMAND and VERIFY commands. They logon with a UID that allows them to only access their own departments jobs.

The problem that has been encountered is that while there are certain of their jobs that they should be able to DEMAND, there are others that should only be VERIFYed. 

The manager's thoughts were to put these sets of jobs under separate UIDs, with a COID defined that allowed the users access to both sets. She thought that she could define one of these UIDs as VERIFY only.

It is my understanding that CA-7 security does not work that way. But if I am wrong, I'll gladly hear how this is done.

Is there a way to accomplish her desired end result? I came across a CA-7 message that seemed to suggest that the DEMAND would fail if the job had an OWNER specified and the user did not have access to that OWNER. I looked for a full explanation of this in the doc, but seemed unable to find it.

Jeff,

You are correct, you can not do a VERIFY command on a job you are not authorized to see via UID access. Your idea of SUBOWNER checking can prevent a user from demanding a job with an OWNER they are not authorized to, but it does not prevent them from having access to the job. But that may work for you. I would be careful with that implementation as it can affect a lot of users...
Original Message:
Sent: 11-06-2019 03:38 PM
From: Jeffrey Holst
Subject: Controlling what jobs a user can DEMAND/VALIDATE.

The manager for our schedulers came to me today with the following issue:

There is a group of users (different departments control their own jobs) who have the authority to use both the DEMAND and VERIFY commands. They logon with a UID that allows them to only access their own departments jobs.

The problem that has been encountered is that while there are certain of their jobs that they should be able to DEMAND, there are others that should only be VERIFYed.

The manager's thoughts were to put these sets of jobs under separate UIDs, with a COID defined that allowed the users access to both sets. She thought that she could define one of these UIDs as VERIFY only.

It is my understanding that CA-7 security does not work that way. But if I am wrong, I'll gladly hear how this is done.

Is there a way to accomplish her desired end result? I came across a CA-7 message that seemed to suggest that the DEMAND would fail if the job had an OWNER specified and the user did not have access to that OWNER. I looked for a full explanation of this in the doc, but seemed unable to find it.