How HCL Workload Automation for Z verifies access authority

To verify access authority, HCL Workload Automation for Z uses the RACROUTE macro. This macro has a general-purpose interface to a security product through the system authorization facility (SAF). The security product can be RACF® or any other product that works with SAF. In this chapter, RACF® commands show how HCL Workload Automation for Z interfaces with a security product.

To verify a user's authority, HCL Workload Automation for Z uses the RACROUTE macro to invoke the SAF z/OS router. This conditionally directs control to RACF®, if present.

The RACROUTE options that HCL Workload Automation for Z uses invoke these RACF® functions:
RACINIT
Provides RACF® user identification and verification when HCL Workload Automation for Z services are requested. (HCL Workload Automation for Z does not have its own logon panel or user IDs.)
RACLIST
Builds in-storage profiles for resources defined by RACF®, which improve performance for resource authorization checking.
Note: Some security products do not support this function. If you are using such a product, RACLIST is effectively a no operation.
RACHECK
Provides authorization checking when you request access to a RACF-protected resource, for example, when you access:
  • Data (such as the current plan)
  • A function (such as REFRESH)
For more information about resources that you can protect, see Functions and data that you can protect.
FRACHECK
Provides authorization checking in the HCL Workload Automation for Z subsystem.
Note: Security products that do not support RACLIST convert FRACHECK requests to the corresponding RACHECK request. This could have a severe impact on the performance of some HCL Workload Automation for Z dialog functions.