Functions and data that you can protect

You can use fixed resources and subresources to protect HCL Workload Automation for Z functions and data.

Fixed resources are always checked as part of the HCL Workload Automation for Z dialog. Subresources are checked only if they are defined in the AUTHDEFstatement.

Protected fixed resources and subresources describes all fixed resources and subresources. Use the table to determine which resources you should define to RACF®. You use Access requirements to fixed resources for dialog users to determine what access is required to the defined resources for each user.

Note: The subresource name and the RACF® resource name are not the same. You specify the subresource name shown in column 2 on the SUBRESOURCES keyword of AUTHDEF to start subresource verification. The corresponding RACF® resource name shown in column 3 must be defined in the general resource class used by HCL Workload Automation for Z, which is specified on the CLASS keyword of AUTHDEF.
Table 1. Protected fixed resources and subresources
Fixed resource Subresource RACF® resource name Description

AD

 
AD.ADNAME
AD.ADGDDEF
AD.NAME
AD.OWNER
AD.GROUP
AD.JOBNAME
AD.RESNAME
AD.SECELEM
AD.UFVAL

AD
ADA.name
ADD.name
ADN.name
ADO.name
ADG.name
ADJ.name
ADR.resname
ADM.name
ADU.field_name.field_value

Application-description file
Application name
Group-definition-ID name
Operation extended name in application-description
Owner ID
Authority group ID
Operation job name in application description
Special resource name
Security element name
User field name and value.

ADEP ADEP Selecting all dependencies in the QCP dialog

CL

 
CL.CALNAME

CL
CLC.name

Calendar data
Calendar name

CP


CP.ADD
CP.DELETE
CP.MODIFY
CP.ADDOPER
CP.DELOPER
CP.MODOPER
CP.MODDEP
CP.MODOPSTAT
CP.COMMANDn
CP.ADNAME
CP.CPGDDEF
CP.NAME
CP.OWNER
CP.GROUP
CP.JOBNAME
CP.WSNAME
CP.ZWSOPER
CP.SECELEM
CP.UFVAL
CP.RESNAME

CP
CP.ADD
CP.DELETE
CP.MODIFY
CP.ADDOPER
CP.DELOPER
CP.MODOPER
CP.MODDEP
CP.MODOPSTAT
CP.COMMANDn
CPA.name
CPD.name
CPN.name
CPO.name
CPG.name
CPJ.name
CPW.name
CPZ.name
CPM name
CPU.field_name.field_value
CPR.resname

Current-plan file
Add workload  
Delete workload
Modify workload  
Add operation
Delete operation
Modify operation
Modify dependencies
Modify operation status
List of commands
Occurrence name
Occurrence group-definition-ID
Operation extended name
Occurrence owner ID
Occurrence authority-group ID
Occurrence operation  name
Current plan workstation name
Workstation name used by an operation
Security element name
Operation user field name and value
Special resource name

ETT

 
ET.ETNAME
ET.ADNAME

ETT
ETE.name
ETA.name

ETT dialog
Name of triggering event
Name of application to be added

FT

 
FT.WSNAME

FT
FTW.wsname

File transfer
File transfer workstation name

JL

 
JL.DSNAME
JL.MEMBER

JL
JLD.name
JLM.name

Job library data sets
Job library data set name
JCL member name

JS

 
JS.ADNAME
JS.OWNER
JS.GROUP
JS.JOBNAME
JS.WSNAME

JS
JSA.name
JSO.name
JSG.name
JSJ.name
JSW.name

JCL and job-library file
Occurrence name
Occurrence owner ID
Occurrence authority group ID
Occurrence operation name
Current plan workstation name

JV

 
JV.OWNER
JV.TABNAME

JV
JVO.name
JVT.name

JCL variable-definition file
Owner ID of  JCL-variable-definition table
Name of JCL-variable table

LT

 
LT.ADNAME
LT.LTGDDEF
LT.OWNER

LT
LTA.name
LTD.name
LTO.name

Long-term-plan file
Occurrence name
Occurrence group-definition ID
Occurrence owner ID

OI

 
OI.ADNAME

OI
OIA.name

Operator-instruction file
Application name

PR

 
PR.PERNAME

PR
PRP.name

Period data
Period name

RD

 
RD.RDNAME

RD
RDR.name

Special resources file
Special resource name

RG

 
RG.RGNAME
RG.OWNER

RG
RGY.name
RGO.name

Run cycle group
Run cycle group name
Run cycle group owner

RL

 
RL.ADNAME
RL.OWNER
RL.GROUP
RL.WSNAME
RL.WSSTAT

RL
RLA.name
RLO.name
RLG.name
RLW.name
RLX.name

Ready list data
Occurrence name
Occurrence owner ID
Occurrence authority-group ID
Current-plan workstation  name
Current-plan workstation changed by WSSTAT

RP

 
RP.REPTYPE

RP
RPT.reptype

Dynamic Workload Console reports
Report type depending on the report you request:

RUNHIST
For job run history reports.
RUNSTATS
For job run statistics.
WWR
For workstation workload runtimes reports.
WWS
For workstation workload summary.
SQL
For reports obtained by customized SQL queries.

SR

 
SR.SRNAME

SR
SRS.name

Special resources in the current plan
Special resource name

WS

 
WS.WSNAME

WS
WSW.name

Workstation data
Workstation name in workstation database

ARC

ARC

Activate/deactivate automatic recovery

BKP

BKP

Request backup of a resource data set

BUL

BUL

Initiate bulk discovery for the monitoring agent

CMAC

CMAC

Data set and Catalog Cleanup used by the
Restart and Cleanup function.

CONT

CONT

Refresh RACF® subresources

ETAC

ETAC

Activate/deactivate event-triggered tracking

EXEC

EXEC

EX (execute) row command

JSUB

JSUB

Activate/deactivate job submit

REFR

REFR

Refresh LTP and delete CP

WSCL

WSCL

All-workstations-closed data

As shown in Protected fixed resources and subresources, these items exist only as fixed resources:
Name
Protects
ADEP
The use of ALL DEP inquiry from EQQSOPGD panel in the Query Current Plan (QCP) dialog. To use this function, you need read or update authority to the ADEP fixed resource.
ARC
The ACTIVATE/DEACTIVATE automatic recovery function in the HCL Workload Automation for Z Service Functions dialog. To use this function, you need update authority to the ARC fixed resource.
BKP
The use of the BACKUP command. BACKUP lets you request a backup of the current plan data set or JCL repository data set. To use this command, you need update access to the BKP fixed resource on the system where the command is issued.
BUL
The use of the BULKDISC command. BULKDISC allows you to initiate a bulk discovery. To use this command you need update access to the BUL fixed resource on the system where the command is issued.
CMAC
The Restart and Cleanup function in the HCL Workload Automation for Z panels. To use Step Restart, Job Restart and Start Cleanup update authority is needed to the CMAC fixed resource. No authority is required to CMAC for use of Display Cleanup.
CONT
The RACF® RESOURCES function in the HCL Workload Automation for Z Service Functions dialog. This lets you activate subresources that are defined after HCL Workload Automation for Z started. To use this function, you need update authority to the CONT fixed resource.
ETAC
The ACTIVATE/DEACTIVATE ETT function in the Service Functions dialog. To use this function, you need update authority to the ETAC fixed resource.
EXEC
The use of the EX (execute) row command. You can issue this command from the Modify Current® Plan dialog and workstation ready lists, if you have update access to the EXEC fixed resource.
JSUB
The ACTIVATE/DEACTIVATE job submission function in the HCL Workload Automation for Z Service Functions dialog or TSO JSUACT command. To use this function, you need update authority to the JSUB fixed resource.
REFR
The REFRESH function (Delete current plan and reset long-term plan) in the HCL Workload Automation for Z Service Functions dialog. To use this function, you need update authority to the REFR fixed resource.
WSCL
The All Workstations Closed function of the Workstation Description dialog. To browse the list of time intervals when all workstations are closed, you need read authority to the WSCL fixed resource. To update the list, you need update authority to the WSCL fixed resource.
Note: Ensure that you restrict access to these fixed resources to users who require them. REFR is particularly important because this function deletes the current plan.
When working with the subresources CP.ADD, CP.DELETE, CP.MODIFY, CP.ADDOPER, CP.DELOPER, CP.MODOPER, CP.MODDEP, CP.MODOPSTAT, and CP.COMMANDn, which control actions, consider that:
  • The subresources control the actions without filtering the objects.
  • The CP.ADD subresource gives the user authority to add new occurrences and operations to existing occurrences. If you want to keep these authorizations separated, use the CP.ADDOPER subresource to give the user authority to add only operations to existing occurrences.
  • The CP.DELETE subresource gives the user authority to delete occurrences and operations from the occurrences. If you want to keep these authorizations separated, use the CP.DELOPER subresource to give the user authority to delete only operations from existing occurrences.
  • The CP.MODIFY subresource gives the user authority to modify occurrences' attributes and operations in the occurrences. If you want to keep these authorizations separated, use the CP.MODOPER subresource to give the user authority to modify only operations in existing occurrences.
  • The CP.MODDEP subresource gives the user authority to add, delete, and modify dependencies.
  • When rerunning an occurrence:
    • You can perform a restart and cleanup (JR, SR) only if you are authorized to submit the rerun, JR, and SR commands.
    • If you issue the SC command without having the appropriate authorization, the rerun is performed nevertheless.
  • The CP.MODOPSTAT subresource gives the user authority to modify the operation status.
    The CP.MODOPSTAT subresource includes the following commands:
    N
    Set next logical status
    N-x
    Set specific logical status
    R
    Reset Status
  • Relationships between actions and subresources shows the actions that are affected by the subresources that are set in AUTHDEF.
    Table 2. Relationships between actions and subresources
    Subresources set in AUTHDEF Impacted actions
    CP.ADD Add occurrence, Add operation, Add group
    CP.COMMANDx, when the list of commands includes C and CG Complete group
    CP.DELETE Delete occurrence, Delete operation, Delete group
    CP.DELETE, CP.COMMANDx when the list of commands includes DG Delete group
    CP.MODIFY Modify occurrence, Complete occurrence, Modify operation, Remove group, Complete group
    CP.ADDOPER, CP.MODDEP, CP.MODOPER, CP.ADD Add operation
    CP.DELOPER, CP.MODDEP, CP.MODOPER, CP.DELETE Delete operation
    CP.MODIFY, CP.MODOPER Modify operation
    CP.MODOPSTAT, CP.MODOPER, CP.MODIFY Change status (from Modify Occurrence or Modify Operation)
    CP.MODDEP, CP.MODOPER, CP.MODIFY Add, delete, modify dependencies
    CP.MODIFY, CP.COMMANDx when the list of commands includes RG Remove group
    CP.MODIFY, CP.COMMANDx when the list of commands includes C Complete an occurrence
    CP.MODIFY, CP.COMMANDx when the list of commands includes W Set waiting
There are some things to consider when working with fixed resources and subresources that control objects:
  • Use the FT.WSNAME subresource to protect the FTP transfers on the source and target workstations. In this way, only users enabled in RACF repository can transfer files that have the WSNAME workstation as source and target destination.
  • The AD.JOBNAME and CP.JOBNAME subresources protect only the JOBNAME field within an application or occurrence. You use these subresources to limit the job names to which the user has access during job setup and similar tasks. If you do not use these subresources, a dialog user might obtain greater authority by using HCL Workload Automation for Z to perform certain functions. For example, a user could submit an unauthorized job by adding an application to the current plan, changing the job name, and then letting HCL Workload Automation for Z submit the job.

    For these subresources, only the ACCESS(UPDATE) level is meaningful.

  • The subresources AD.GROUP, CP.GROUP, JS.GROUP, and RL.GROUP are used to protect access to HCL Workload Automation for Z data based on the authority group ID and not application description groups.
  • The subresource data is passed to SAF without modifications. Your security product might have restrictions on which characters it allows. For example, RACF® resource names cannot contain asterisks, embedded blanks, or DBCS characters.
  • The EQQ9RFDE member in the sample library updates the class-descriptor tables with an HCL Workload Automation for Z-specific class called OPCCLASS.
  • Use the CP.ZWSOPER subresource if you want to protect an operation based on the name of the workstation where the operation will be started. You must have update access to this subresource if you want to modify an operation. If you want to specify dependencies between operations, you must have update authority to both the predecessor and successor operations.

    You can use the CP.ZWSOPER subresource to protect against updates to an operation in an occurrence or the unauthorized deletion or addition of an operation in an occurrence. This subresource is not used to protect the addition of an occurrence to the current plan or to protect an occurrence in the current plan that a user attempts to delete, set to waiting, or set to complete. When an occurrence is rerun, access authority is checked only for the particular operation that the rerun is started from.

    The subresource CP.ZWSOPER is unlike the subresource CP.WSNAME, which protects workstations but does not protect against updates to operations.

  • When no current plan occurrence information is available, subresource protection for job setup and JCL editing tasks is based on information from the application description. For example, if you are adding an occurrence to the CP and you request JCL edit for an operation, subresource requests using owner ID or authority group ID are issued using the owner ID or authority group ID defined in the AD, because the CP occurrence does not yet exist. Similarly, when editing JCL in the LTP dialog, subresources are based on CP occurrence information, if the occurrence is in the CP. If the occurrence is not in the CP, subresource requests are issued using information from the AD.
  • Security checks are not performed on user fields for which there is no value specified.
  • AD.UFVAL and CP.UFVAL subresources:
    • The AD.UFVAL and CP.UFVAL subresources are used to protect user field names and values. If you specify these subresources in an AUTHDEF statement using the predefined class, IBMOPC, note that the IBMOPC profile supports user fields not longer than 54 characters. The 54 characters is the sum of the characters that comprise the following string:
      • For the AD.UFVAL subresource: ADU.field_name.field_value
      • For the CP.UFVAL subresource: CPU.field_name.field_value
      Therefore, if you require protection for user fields longer than 54 characters, then you must manually create a new RACF® profile, or use an existing profile you have defined, that supports user fields with values longer than 54 characters. For example, the profile could specify MAXLNTH=80 to ensure longer user field names and values are supported.
    • The characters permitted in the ADU.field_name.field_value and CPU.field_name.field_value strings depend on the security product you use through the system authorization facility (SAF). The security product can be RACF® or any other product that works with SAF. No checks are performed to validate the characters used, so you must be careful not to use characters than can cause unexpected results. For example, avoid using characters that are considered wildcard characters for the security product you are using. In the case of RACF®, this means avoid using the following wildcard characters: [*, %].