Mapping a Dynamic Workload Console user ID to a RACF user ID
For any operations performed through Dynamic Workload Console, make sure that the Dynamic Workload Console user ID is associated with a corresponding RACF® user ID. The RACF® user ID must have the permissions required to access the HCL Workload Automation for Z resources.
HCL Workload Automation for Z server uses the RACF® user ID to build the RACF® environment to enable the user to access HCL Workload Automation for Z services.
- Using the user-defined RACF class EQQADMIN, which creates a RACF user ID from the Dynamic Workload Console user ID that you use to the Z connector. For details, see Creating the EQQADMIN class to associate a RACF user ID.
- Using the RACF®-supplied and predefined resource class TMEADMIN. For details, see Creating the TMEADMIN class to associate a RACF user ID.
- Using a server initialization parameter (SERVOPTS USERMAP) to define a member in the file identified by the EQQPARM DD statement in the server startup job.
- HCL Workload Automation for Z checks
whether the resource class EQQADMIN is defined and enabled (meaning that you set
AUTOMAPPING
in the class). For details, see Creating the EQQADMIN class to associate a RACF user ID - If the EQQADMIN class is enabled, it is used to obtain the RACF user ID. If the class is not enabled, the SERVOPTS USERMAP parameter is used to obtain the RACF user ID.
- If the SERVOPTS USERMAP parameter is not set, the resource class TMEADMIN is used to obtain the RACF user ID.
- The name of the host in which the Z connector runs is
ROME1
. - The Z connector user
is named
ZCONN1
. - The Dynamic Workload Console user ID with
which you connect to the Z connector is
GRAPHUSR
.
GRAPHUSR
connects to the Z connector, this user ID is
authenticated on ROME1
. Also, ZCONN1
is authenticated on the Z
engine by providing the following credentials:
USER 'ZCONN1@domain' --> RACF ID (TSOuser)
where
TSOuser
is the TSO user ID with which the HCL Workload Automation for Z dialogs are run.When GRAPHUSR
performs an operation, the Z connector uses these credentials,
therefore it is required that both GRAPHUSR
and ZCONN1
are
associated with a RACF® user ID. The RACF® user ID associated with the Z connector user does not need to
have particular permissions to the HCL Workload Automation for Z resources, while the RACF® user ID associated with the console user needs the
permissions to perform the required operations.
The following table shows the relationship between the security products and security selections.
Security Product used | Solution | Prerequisite |
---|---|---|
Security Server (RACF®) | TMEADMIN | None (TMEADMIN class provided in z/OS® base). |
EQQADMIN | Define the RACF class EQQADMIN manually, either:
|
|
Other SAF-compliant | TMEADMIN | Manually define the resource class TMEADMIN, by using the EQQ9RFDE and EQQ9RF01 samples. |
EQQADMIN | Statically define the RACF class EQQADMIN. | |
All security products | ID mapping table |