A decentralized security strategy

Most HCL Workload Automation for Z work is delegated to representatives of the user departments. They perform all HCL Workload Automation for Z functions (including reruns and JCL corrections during the day) but only for the applications in their own department.

During the second and third shifts, machine-room operators take care of reruns and JCL corrections for all departments.

These RACF® groups are defined:
Group
Contains
OPCGROUP
Most of the HCL Workload Automation for Z users. Unlike the users in a centralized installation, these users work alone and perform all HCL Workload Automation for Z functions on a limited number of applications.
OPCSPEC
The schedulers and system support people who keep HCL Workload Automation for Z running continuously.
OPER
The people who correct jobs that end in error overnight.

The major difference from a centralized installation is that authority is divided by department, not by HCL Workload Automation for Z function. The decentralized location relies mainly on HCL Workload Automation for Z subresources for security. This makes name standards more important if the number of profiles is to be kept to a minimum. The administrator must decide which subresource names to use. For example, access to applications could be restricted by job name, owner ID, or authority group ID. Critical functions such as REFR (refresh) should not be decentralized.