Creating the EQQADMIN class to associate a RACF® user ID

About this task

You can use the resource class EQQADMIN to:
  • Associate a RACF user ID to the Dynamic Workload Console user ID with which you connect to the Z connector.
  • Automatically obtain a RACF user ID based on the Dynamic Workload Console user ID with which you connect to the Z connector.
After you have defined and activated the resource class EQQADMIN in RACF, it is required that you enable its usage by setting the AUTOMAPPING APPLDATA parameter. According to this setting, you also decide if the automatic mapping is either enabled or disabled:
Enabling the automatic way to obtain a RACF user ID from the Dynamic Workload Console user ID
RDEFINE EQQADMIN AUTOMAPPING APPLDATA(‘YES’)
In this way, a RACF user ID is automatically returned based on the Dynamic Workload Console user ID without the host name.

Disabling the automatic way to obtain a RACF user ID from the Dynamic Workload Console user ID
RDEFINE EQQADMIN AUTOMAPPING APPLDATA(‘NO’)
This means that all the users in the EQQADMIN class must be exactly defined, as follows:
RDEFINE EQQADMIN DWC_userID@Hostname APPLDATA(‘RACF_userID’)
The following example shows the results when you set EQQADMIN to AUTOMAPPING APPLDATA('YES'). In RACF you have authorized the users ROOT and ROBINSON to use HCL Workload Automation for Z, and you have defined the EQQADMIN class as follows:
RDEFINE EQQADMIN AUTOMAPPING APPLDATA(‘YES’)
RDEFINE EQQADMIN admin@EU-HWS-LNX73.xyz.com APPLDATA(‘ROOT’)
If you connect with the Dynamic Workload Console user:
admin@EU-HWS-LNX73.xyz.com
An exact match is found in EQQADMIN and the RACF user ROOT is returned.
robinson@EU-HWS-LNX73.xyz.com
No exact match is found in EQQADMIN, therefore according to AUTOMAPPING APPLDATA('YES') the user ID ROBINSON is returned as RACF user ID.
robinson.richard@EU-HWS-LNX73.xyz.com
No exact match is found in EQQADMIN, therefore according to AUTOMAPPING APPLDATA('YES') the user ID ROBINSON.RICHARD is returned as RACF user ID. However, ROBINSON.RICHARD exceeds the maximum length of 8 characters allowed for a user, as a consequence an error message is issued about user not found or not valid. The AUTOMAPPING parameter never truncates the length of a user name.
To create the resource class EQQADMIN and map it to a RACF® user ID, perform the following steps:
  1. Make sure that your operating system has the Security Server feature.
  2. Create the resource class EQQADMIN for mapping the administrator ID and host name to the RACF® user ID:
    RDEFINE CDT EQQADMIN UACC(NONE) CDTINFO(DEFAULTUACC(NONE) DEFAULTRC(8) 
    FIRST(ALPHA,NUMERIC) MAXLENGTH(246) OTHER(ALPHA,NUMERIC,NATIONAL,SPECIAL) 
    POSIT(28) OPER(NO) RACLIST(ALLOWED) GENLIST(ALLOWED)
    Note: You might need to modify the value of POSIT, if already used by your installation process. For detailed information, see the IBM RACF manual.
  3. Using the EQQADMIN class, map the administrator ID to the RACF® user ID. The RACF® user ID is associated with the administrator defined at the workstation. Any administrative action is thereby traceable to the user issuing the request.
  4. Define a profile in the supplied EQQADMIN class for each administrator who is able to access Dynamic Workload Console.
    Note: In the following tasks, which are for mapping the administrator to RACF® user IDs, it is recommended that each administrator maps to a unique RACF® user ID.
  5. Activate the EQQADMIN class by issuing the following command:
    SETROPTS CLASSACT (EQQADMIN)
  6. In the EQQADMIN class, use the following string to define a unique RACF® user ID for each administrator who will perform Dynamic Workload Console operations:
    userID@hostname
    For example, for a user with the identifier SCOT at the host pelican, you would use SCOT@pelican.

  7. Enter the following command to define a general resource profile in the EQQADMIN class to associate the administrator with a RACF® user ID (in this example, SCOT):
    RDEFINE EQQADMIN SCOT@hostname APPLDATA('SCOT') 
    Note: The string SCOT@hostname is not case sensitive.
  8. Refresh the EQQADMIN class with the following command:
    SETROPTS RACLIST(EQQADMIN) REFRESH
    If you experience problems using special characters to define a profile in the EQQADMIN class, use the following command instead:
    SETROPTS GENERIC(EQQADMIN) REFRESH
    If you are using a dynamic CDT, refresh also the CDT class:
    SETROPTS RACLIST(CDT) REFRESH

Also, use the percent sign (%) instead of the special character. For example, for the Italian code page, the character @ (hex'B5') is not accepted by RACF®. Therefore, use SCOT%pelican instead of SCOT@pelican.

When searching a list of EQQADMIN profiles for a match, RACF® looks for the most similar generic profile.