Authorizing HCL Workload Automation for Z to issue JES commands

Consider the following resource classes when implementing security for HCL Workload Automation for Z. The examples assume that the RACF user for the HCL Workload Automation for Z address space is OPCAPPL, which is the name specified in the started-procedure table.

OPERCMDS
If the OPERCMDS class is active and you have specified HOLDJOB(YES) or HOLDJOB(USER) for an event writer in the EWTROPTS statement, the HCL Workload Automation for Z address space where the event writer is started must be authorized to issue the JES release command. One method is to permit HCL Workload Automation for Z to issue all JES commands.
To permit HCL Workload Automation for Z to issue JES commands on a JES2 system, perform the following steps:
  1. Define the resource:
     RDEFINE OPERCMDS JES2.* UACC(NONE)
  2. Authorize HCL Workload Automation for Z:
     PERMIT JES2.* CLASS(OPERCMDS) ID(OPCAPPL) ACC(UPDATE)
On a JES3 system, replace JES2.* with JES3.* in the example. Alternatively, you could specify the JES%.* resource name for either a JES2 or JES3 system.
If you use HCL Workload Automation for Z to schedule started tasks, the address space must be authorized to issue the z/OS start command. One way of doing this is to permit HCL Workload Automation for Z to issue all z/OS commands, as follows:
  1. Define the resource:
     RDEFINE OPERCMDS ZOS.* UACC(NONE)
  2. Authorize HCL Workload Automation for Z:
     PERMIT ZOS.* CLASS(OPERCMDS) ID(OPCAPPL) ACC(UPDATE)

Authority to use the z/OS start command is also required if you use Hiperbatch support for HCL Workload Automation for Z operations.

JESSPOOL
If the JESSPOOL class is active and you use the HCL Workload Automation for Z JCC function, you must authorize HCL Workload Automation for Z to access SYSOUT data sets for all jobs in the current plan. Also, the output collector and data store require the ALTER access for the JESSPOOL class. One way of doing this is to permit HCL Workload Automation for Z, output collector, and data store to access all SYSOUT data sets.
To access all SYSOUT data sets, perform the following steps on each system where the JCC, output collector, and data store are started:
  1. Define the resource:
     RDEFINE JESSPOOL *.* UACC(NONE)
  2. Authorize HCL Workload Automation for Z:
     PERMIT *.* CLASS(JESSPOOL) ID(OPCAPPL) ACC(ALTER)

If the PRIVILEGED or TRUSTED attribute is set in the Started Procedure Table (SPT) entry for HCL Workload Automation for Z, then the address space is authorized to issue any commands and to process spool data sets regardless of what is defined in the resource rules.

For further information, see the RACF® Security Administrator's Quick Reference.