Authorizing HCL Workload Automation for Z as a job submitter
Consider
the following resource classes when implementing
security for HCL Workload Automation for Z.
The examples assume that the RACF® user
for the HCL Workload Automation for Z address
space is OPCAPPL,
which is the name specified in the started-procedure table.
- JESJOBS
- If
your installation has activated the JESJOBS class, you must permit HCL Workload Automation for Z to
submit all jobs that are defined in the current plan. One way of doing
this is to permit HCL Workload Automation for Z to
submit all jobs. You can do this by:
- Defining the submit resource:
RDEFINE JESJOBS SUBMIT.*.*.* UACC(NONE) OWNER(OPCAPPL)
- Authorizing HCL Workload Automation for Z:
PERMIT SUBMIT.*.*.* CLASS(JESJOBS) ID(OPCAPPL) ACC(READ)
- Defining the submit resource:
- SURROGAT
- A surrogate job submission occurs when all the following conditions
are met:
- USER=xxxx is specified on the job card of the submitted job.
- The xxxx is not the same as the submitting (RACF®) user.
- No password is specified on the job card.
To permit HCL Workload Automation for Z to submit this job, perform the following steps:- Activate the surrogate class:
SETROPTS CLASSACT(SURROGAT)
- Define the submit resource:
RDEFINE SURROGAT APLUSER.SUBMIT UACC(NONE) OWNER(APLUSER)
- Authorize HCL Workload Automation for Z:
PERMIT APLUSER.SUBMIT CLASS(SURROGAT) ID(OPCAPPL) ACC(READ)
If the PRIVILEGED
or TRUSTED
attribute
is
set in the Started Procedure Table (SPT) entry, the HCL Workload Automation for Z is
authorized
to submit jobs under any user regardless of what is defined in the
resource rules.
For further information, see the RACF® Administrator's Guide.