When a prestart job starts, it runs under the prestart job user profile. When a program start request attaches to a prestart job, the prestart job user profile is replaced by the program start request user profile. When the prestart job is finished handling a program start request, the program start request user profile is replaced by the prestart job user profile. If there is a group profile associated with the user profile, the group profile is also exchanged.
The exchange of the user profile is for authority checking only. None of the other attributes associated with the user profile are exchanged. Libraries on the library list to which the prestart job entry user profile is authorized continue to be authorized to the prestart job when the program start request user profile replaces the prestart job entry user profile. However, the library list can be changed by the Change Library List (CHGLIBL) command.
When a prestart job starts, authority checking against the prestart job entry user profile is performed on every object that is needed for starting a job. Before a program start request is allowed to attach a prestart job, only the program start request user profile/password and its authority to the communications devices and library/program is checked.
To avoid occurrences where the program start request user profile is not authorized to objects that the prestart job entry user profile is authorized to, you must ensure that the program start request user profile is authorized to at least as many objects as the prestart job entry user profile. To accomplish this, the prestart job program can be created by the prestart job entry user with USRPRF(*OWNER) specified on the CRTxxxPGM (where xxx is the program language) command. The program owner authority will automatically be transferred to any programs called by the prestart job program. Otherwise, you may choose to explicitly check object authorization (CHKOBJ) before referring to any objects.
Files and objects that the prestart job user profile is not authorized to should be closed and deallocated before the end of the transaction is performed on the requestor device. If database files are left open in the prestart job, in order to guarantee database security, the prestart job program must check the program start request user profile authority to the open files.