Controlling access to resources
- An ISPF dialog session
- TSO commands
- The program interface (PIF)
- The application programming interface (API)
- Dynamic Workload Console
Any security software that interfaces with SAF also works with HCL Workload Automation for Z. For this section, the security product is assumed to be RACF®.
The z/OS router service calls RACF® to perform authority checks. It provides an installation exit that you can use instead of, or in addition to, RACF® to perform resource control functions.
Use the HCL Workload Automation for Z reserved resource class IBMOPC.
The default class for HCL Workload Automation for Z is OPCCLASS. If you use a different class name, you must specify it in the AUTHDEF statement. Generally, this means specifying CLASS(IBMOPC) in the AUTHDEF statement. If you are running more than one HCL Workload Automation for Z system, for example a test system and production system, you might want to define more than one RACF® class. By using different CLASS parameters in each AUTHDEF statement, you can specify a different authorization scheme for each system.
To control access to HCL Workload Automation for Z functions, give at least one TSO user-class authority to the resource class. This TSO user can then allow other HCL Workload Automation for Z users to access resources as needed.
/*Define subsystem resource*/
RDEFINE APPL OPCC UACC(NONE)
See RACF® Command Reference and RACF® Administrator's Guide if you are unfamiliar with this process.
When the subsystem name is defined to RACF®, you can give other TSO users access to HCL Workload Automation for Z. For example, to allow the TSO user OPCUGRP to access OPCC with an update access authority by default, enter:
/*Permit access to HCL Workload Automation for Z*/
PERMIT OPCC ID(OPCUGRP) ACCESS(UPDATE) CLASS(APPL)
- For dialog users, the TSO user ID.
- For PIF applications, the user ID defined in the security environment of the PIF job.