Authorizing HCL Workload Automation for Z to issue JES commands
Consider the following resource classes when implementing security for HCL Workload Automation for Z. The examples assume that the RACF user for the HCL Workload Automation for Z address space is OPCAPPL, which is the name specified in the started-procedure table.
- OPERCMDS
- If the OPERCMDS class is active and you have specified HOLDJOB(YES) or
HOLDJOB(USER) for an event writer in the EWTROPTS
statement, the HCL Workload Automation for Z
address space where the event writer is started must be authorized to issue the JES release
command. One method is to permit HCL Workload Automation for Z to issue all JES
commands. To permit HCL Workload Automation for Z to issue JES commands on a JES2 system, perform the following steps:On a JES3 system, replace JES2.* with JES3.* in the example. Alternatively, you could specify the JES%.* resource name for either a JES2 or JES3 system.
- Define the resource:
RDEFINE OPERCMDS JES2.* UACC(NONE)
- Authorize HCL Workload Automation for Z:
PERMIT JES2.* CLASS(OPERCMDS) ID(OPCAPPL) ACC(UPDATE)
If you use HCL Workload Automation for Z to schedule started tasks, the address space must be authorized to issue the z/OS start command. One way of doing this is to permit HCL Workload Automation for Z to issue all z/OS commands, as follows:- Define the resource:
RDEFINE OPERCMDS ZOS.* UACC(NONE)
- Authorize HCL Workload Automation for Z:
PERMIT ZOS.* CLASS(OPERCMDS) ID(OPCAPPL) ACC(UPDATE)
Authority to use the z/OS start command is also required if you use Hiperbatch™ support for HCL Workload Automation for Z operations.
- Define the resource:
- JESSPOOL
- If the JESSPOOL class is active and you use the HCL Workload Automation for Z JCC function, you must
authorize HCL Workload Automation for Z to
access SYSOUT data sets for all jobs in the current plan. Also, the output collector and data
store require the ALTER access for the JESSPOOL class. One way of doing this is to permit
HCL Workload Automation for Z, output
collector, and data store to access all SYSOUT data sets.To access all SYSOUT data sets, perform the following steps on each system where the JCC, output collector, and data store are started:
- Define the resource:
RDEFINE JESSPOOL *.* UACC(NONE)
- Authorize HCL Workload Automation for Z:
PERMIT *.* CLASS(JESSPOOL) ID(OPCAPPL) ACC(ALTER)
- Define the resource:
If the PRIVILEGED
or TRUSTED
attribute
is
set in the Started Procedure Table (SPT) entry for HCL Workload Automation for Z,
then
the address space is authorized to issue any commands and to process
spool data sets regardless of what is defined in the resource rules.
For further information, see the RACF® Security Administrator's Quick Reference.