AUTHDEF
Purpose
The AUTHDEF statement specifies the HCL Workload Automation for Z resources that are defined to a security product. For a description about how you use HCL Workload Automation for Z security features to protect HCL Workload Automation for Z functions and data, see Implementing security.
You can specify this statement for a controller, a standby controller, or a tracker.
AUTHDEF is defined in the member of the EQQPARM library as specified by the PARM parameter on the JCL EXEC statement.
Format
Parameters
- CLASS(name of resource class|OPCCLASS)
- Defines the name
of the security resource class that protects HCL Workload Automation for Z resources. The value is valid until you specify a different value
and restart the HCL Workload Automation for Z address space. Consider the following checklist when using this parameter:
- The resource class must be defined in the RACF® class descriptor and routing tables.
- New definitions in the RACF® class descriptor and routing tables require an IPL.
- If multiple controller subsystems require separate policies, they require separate classes.
- IBMOPC is a predefined class that you can use with no need for an IPL if only one class is required.
- After a RACF® migration, consider redefining any class you defined in a previous version of RACF®.
- The default class OPCCLASS is not already defined in RACF®. Before using this class, make sure there are the necessary entries in the RACF® class descriptor and routing tables.
- COMMAND1, ..., COMMAND9(list of commands)
- Defines the list
of commands to which you want to authorize a user. If the same command
is listed in more than one COMMANDn parameter and different
levels of authorization are assigned, the authorization with the higher
level of privileges is always applied to the command.You can specify any combinations of the following occurrence and operation commands:
Table 1. Occurrence commands that you can specify in the Commandn parameter Command Description C Complete an occurrence CG Complete group DG Delete group R Rerun RG Remove from group W Set waiting Table 2. Operation commands that you can specify in the COMMANDn parameter Command Description ARC Attempt Automatic Recovery BND Bind Operation DJ Delete JCL EX Execute J Edit JCL JR JR, Fast Path JR K Kill (K and KR) MH Manual Hold MR Manual Release NP NOP RI Recovery Info (PY and PN) SC SC, Fast Path SC SJR Simple Job Restart SR SR, Fast Path SR UN UN NOP - LISTLOGGING(FIRST|NONE|ALL)
- In the resource profile, you define how data is logged for accesses
to a resource. If you restrict access to HCL Workload Automation for Z data on the record level by specifying subresources, a request to
list HCL Workload Automation for Z data can result in several access violations being recorded
for those records that satisfy the filter criteria but to which the
user is not permitted access. LISTLOGGING lets you alter the amount
of data that is logged for list requests.
Specify FIRST when logging is performed only for the first read attempt to a resource. Logging occurs only for the first entry that has a profile, which specifies that logging should occur. Specify NONE if no logging is performed. Specify ALL if logging is performed as specified in the profile for the resource. ALL is the default value.
- SUBRESOURCES(resource,...,resource)
- Defines whether HCL Workload Automation for Z checks on the record level if a user is authorized to access information
in an HCL Workload Automation for Z VSAM file.
In the list of resources you can specify one or more of the items shown in the syntax diagram. For a description of all the fixed resources and subresources, see Protected fixed resources and subresources.
Whenever a user accesses a record, for example in the AD file, HCL Workload Automation for Z checks if the user is authorized to access the record in the manner intended. To do this, a resource name is generated, and a request is sent through SAF (system authorization facility) to the security system to test the user authority. For example, if you specify AD.ADNAME, the application name is retrieved from the record, and the prefix ADA. is added to create the resource name. The security system is then called to test if this resource exists in the resource class defined by the CLASS keyword and if the user is authorized to access it. The default resource list for the SUBRESOURCES keyword is the empty list. This means that the default is to use already established authority and not to check the user authority to access individual VSAM records.
Note: If you have specified OPCHOST(NO) in the OPCOPTS statement, only the RL.WSNAME, RL.WSSTAT, and SR.SRNAME subresources are relevant. AD.SECELEM and CP.SECELEM are relevant only if you run System Automation V3.1 (with the appropriate maintenance level installed), or later. When set, they protect the whole System Automation information in the AD segment and CP33 record, respectively. - TRACE(4|8|0)
- Defines if HCL Workload Automation for Z writes trace information to the message log (EQQMLOG) each time the RACROUTE macro is invoked. Specify 0, which is the default value, if you do not want trace information. Specify 4 if you want partial trace information. Specify 8 if you want full trace information.
- 1
- The default resource class is used.
- 2
- HCL Workload Automation for Z will verify authorization for application descriptions (by checking the application name) and workstations (by checking the workstation name).