Functions and data that you can protect
You can use fixed resources and subresources to protect HCL Workload Automation for Z functions and data.
Fixed resources are always checked as part of the HCL Workload Automation for Z dialog. Subresources are checked only if they are defined in the AUTHDEFstatement.
Protected fixed resources and subresources describes all fixed resources and subresources. Use the table to determine which resources you should define to RACF®. You use Access requirements to fixed resources for dialog users to determine what access is required to the defined resources for each user.
Fixed resource | Subresource | RACF® resource name | Description |
---|---|---|---|
AD |
|
AD |
Application-description file |
ADEP | ADEP | Selecting all dependencies in the QCP dialog | |
CL |
|
CL |
Calendar data |
CP |
|
CP |
Current-plan file |
ETT |
|
ETT |
ETT dialog |
FT |
|
FT |
File transfer |
JL |
|
JL |
Job library data sets |
JS |
|
JS |
JCL and job-library file |
JV |
|
JV |
JCL variable-definition file |
LT |
|
LT |
Long-term-plan file |
OI |
|
OI |
Operator-instruction file |
PR |
|
PR |
Period data |
RD |
|
RD |
Special resources file |
RG |
|
RG |
Run cycle group |
RL |
|
RL |
Ready list data |
RP |
|
RP |
Dynamic Workload Console reports
|
SR |
|
SR |
Special resources in the current plan |
WS |
|
WS |
Workstation data |
ARC |
ARC |
Activate/deactivate automatic recovery |
|
BKP |
BKP |
Request backup of a resource data set |
|
BUL |
BUL |
Initiate bulk discovery for the monitoring agent |
|
CMAC |
CMAC |
Data set and Catalog Cleanup used by the |
|
CONT |
CONT |
Refresh RACF® subresources |
|
ETAC |
ETAC |
Activate/deactivate event-triggered tracking |
|
EXEC |
EXEC |
EX (execute) row command |
|
JSUB |
JSUB |
Activate/deactivate job submit |
|
REFR |
REFR |
Refresh LTP and delete CP |
|
WSCL |
WSCL |
All-workstations-closed data |
- Name
- Protects
- ADEP
- The use of ALL DEP inquiry from EQQSOPGD panel in the Query Current Plan (QCP) dialog. To use this function, you need read or update authority to the ADEP fixed resource.
- ARC
- The ACTIVATE/DEACTIVATE automatic recovery function in the HCL Workload Automation for Z Service Functions dialog. To use this function, you need update authority to the ARC fixed resource.
- BKP
- The use of the BACKUP command. BACKUP lets you request a backup of the current plan data set or JCL repository data set. To use this command, you need update access to the BKP fixed resource on the system where the command is issued.
- BUL
- The use of the BULKDISC command. BULKDISC allows you to initiate a bulk discovery. To use this command you need update access to the BUL fixed resource on the system where the command is issued.
- CMAC
- The Restart and Cleanup function in the HCL Workload Automation for Z panels. To use Step Restart, Job Restart and Start Cleanup update authority is needed to the CMAC fixed resource. No authority is required to CMAC for use of Display Cleanup.
- CONT
- The RACF® RESOURCES function in the HCL Workload Automation for Z Service Functions dialog. This lets you activate subresources that are defined after HCL Workload Automation for Z started. To use this function, you need update authority to the CONT fixed resource.
- ETAC
- The ACTIVATE/DEACTIVATE ETT function in the Service Functions dialog. To use this function, you need update authority to the ETAC fixed resource.
- EXEC
- The use of the EX (execute) row command. You can issue this command from the Modify Current® Plan dialog and workstation ready lists, if you have update access to the EXEC fixed resource.
- JSUB
- The ACTIVATE/DEACTIVATE job submission function in the HCL Workload Automation for Z Service Functions dialog or TSO JSUACT command. To use this function, you need update authority to the JSUB fixed resource.
- REFR
- The REFRESH function (Delete current plan and reset long-term plan) in the HCL Workload Automation for Z Service Functions dialog. To use this function, you need update authority to the REFR fixed resource.
- WSCL
- The All Workstations Closed function of the Workstation Description dialog. To browse the list of time intervals when all workstations are closed, you need read authority to the WSCL fixed resource. To update the list, you need update authority to the WSCL fixed resource.
- The subresources control the actions without filtering the objects.
- The CP.ADD subresource gives the user authority to add new occurrences and operations to existing occurrences. If you want to keep these authorizations separated, use the CP.ADDOPER subresource to give the user authority to add only operations to existing occurrences.
- The CP.DELETE subresource gives the user authority to delete occurrences and operations from the occurrences. If you want to keep these authorizations separated, use the CP.DELOPER subresource to give the user authority to delete only operations from existing occurrences.
- The CP.MODIFY subresource gives the user authority to modify occurrences' attributes and operations in the occurrences. If you want to keep these authorizations separated, use the CP.MODOPER subresource to give the user authority to modify only operations in existing occurrences.
- The CP.MODDEP subresource gives the user authority to add, delete, and modify dependencies.
- When rerunning an occurrence:
- You can perform a restart and cleanup (JR, SR) only if you are authorized to submit the rerun, JR, and SR commands.
- If you issue the SC command without having the appropriate authorization, the rerun is performed nevertheless.
- The CP.MODOPSTAT subresource
gives the user authority to modify the operation status. The CP.MODOPSTAT subresource includes the following commands:
- N
- Set next logical status
- N-x
- Set specific logical status
- R
- Reset Status
- Relationships between actions and subresources shows
the actions that are affected by the subresources that are set in AUTHDEF.
Table 2. Relationships between actions and subresources Subresources set in AUTHDEF Impacted actions CP.ADD Add occurrence, Add operation, Add group CP.COMMANDx, when the list of commands includes C and CG Complete group CP.DELETE Delete occurrence, Delete operation, Delete group CP.DELETE, CP.COMMANDx when the list of commands includes DG Delete group CP.MODIFY Modify occurrence, Complete occurrence, Modify operation, Remove group, Complete group CP.ADDOPER, CP.MODDEP, CP.MODOPER, CP.ADD Add operation CP.DELOPER, CP.MODDEP, CP.MODOPER, CP.DELETE Delete operation CP.MODIFY, CP.MODOPER Modify operation CP.MODOPSTAT, CP.MODOPER, CP.MODIFY Change status (from Modify Occurrence or Modify Operation) CP.MODDEP, CP.MODOPER, CP.MODIFY Add, delete, modify dependencies CP.MODIFY, CP.COMMANDx when the list of commands includes RG Remove group CP.MODIFY, CP.COMMANDx when the list of commands includes C Complete an occurrence CP.MODIFY, CP.COMMANDx when the list of commands includes W Set waiting
- Use the FT.WSNAME subresource to protect the FTP transfers on the source and target workstations. In this way, only users enabled in RACF repository can transfer files that have the WSNAME workstation as source and target destination.
- The AD.JOBNAME and CP.JOBNAME subresources protect only the JOBNAME field within an application or occurrence. You
use these subresources to limit the job names to which the user has
access during job setup and similar tasks. If you do not use these
subresources, a dialog user might obtain greater authority by using HCL Workload Automation for Z to perform certain functions. For example, a user could submit an
unauthorized job by adding an application to the current plan, changing
the job name, and then letting HCL Workload Automation for Z submit the job.
For these subresources, only the ACCESS(UPDATE) level is meaningful.
- The subresources AD.GROUP, CP.GROUP, JS.GROUP, and RL.GROUP are used to protect access to HCL Workload Automation for Z data based on the authority group ID and not application description groups.
- The subresource data is passed to SAF without modifications. Your security product might have restrictions on which characters it allows. For example, RACF® resource names cannot contain asterisks, embedded blanks, or DBCS characters.
- The EQQ9RFDE member in the sample library updates the class-descriptor tables with an HCL Workload Automation for Z-specific class called OPCCLASS.
- Use the CP.ZWSOPER subresource if you want to protect an operation based on the name of the
workstation where the operation will be started. You
must have update access to this subresource if you
want to modify an operation. If you want to specify
dependencies between operations, you must have
update authority to both the predecessor and
successor operations.
You can use the CP.ZWSOPER subresource to protect against updates to an operation in an occurrence or the unauthorized deletion or addition of an operation in an occurrence. This subresource is not used to protect the addition of an occurrence to the current plan or to protect an occurrence in the current plan that a user attempts to delete, set to waiting, or set to complete. When an occurrence is rerun, access authority is checked only for the particular operation that the rerun is started from.
The subresource CP.ZWSOPER is unlike the subresource CP.WSNAME, which protects workstations but does not protect against updates to operations.
- When no current plan occurrence information is available, subresource protection for job setup and JCL editing tasks is based on information from the application description. For example, if you are adding an occurrence to the CP and you request JCL edit for an operation, subresource requests using owner ID or authority group ID are issued using the owner ID or authority group ID defined in the AD, because the CP occurrence does not yet exist. Similarly, when editing JCL in the LTP dialog, subresources are based on CP occurrence information, if the occurrence is in the CP. If the occurrence is not in the CP, subresource requests are issued using information from the AD.
- Security checks are not performed on user fields for which there is no value specified.
- AD.UFVAL and CP.UFVAL subresources:
- The AD.UFVAL and CP.UFVAL subresources are used to protect user
field names and values. If you specify these subresources in an AUTHDEF
statement using the predefined class, IBMOPC, note that the IBMOPC
profile supports user fields not longer than 54 characters. The 54
characters is the sum of the characters that comprise the following
string:
- For the AD.UFVAL subresource: ADU.field_name.field_value
- For the CP.UFVAL subresource: CPU.field_name.field_value
- The characters permitted in the ADU.field_name.field_value and CPU.field_name.field_value strings depend on the security product you use through the system authorization facility (SAF). The security product can be RACF® or any other product that works with SAF. No checks are performed to validate the characters used, so you must be careful not to use characters than can cause unexpected results. For example, avoid using characters that are considered wildcard characters for the security product you are using. In the case of RACF®, this means avoid using the following wildcard characters: [*, %].
- The AD.UFVAL and CP.UFVAL subresources are used to protect user
field names and values. If you specify these subresources in an AUTHDEF
statement using the predefined class, IBMOPC, note that the IBMOPC
profile supports user fields not longer than 54 characters. The 54
characters is the sum of the characters that comprise the following
string: