Controlling access to resources

Before IBM Z Workload Scheduler performs any request initiated by a user, a security verification check is passed to the system authorization facility (SAF) to ensure that the user is authorized to access all resources needed to run the request. A user can request IBM Z Workload Scheduler services from:
  • An ISPF dialog session
  • TSO commands
  • The program interface (PIF)
  • The application programming interface (API)
  • Dynamic Workload Console

Any security software that interfaces with SAF also works with IBM Z Workload Scheduler. For this section, the security product is assumed to be RACF®.

The z/OS router service calls RACF® to perform authority checks. It provides an installation exit that you can use instead of, or in addition to, RACF® to perform resource control functions.

Use the IBM Z Workload Scheduler reserved resource class IBMOPC.

The default class for IBM Z Workload Scheduler is OPCCLASS. If you use a different class name, you must specify it in the AUTHDEF statement. Generally, this means specifying CLASS(IBMOPC) in the AUTHDEF statement. If you are running more than one IBM Z Workload Scheduler system, for example a test system and production system, you might want to define more than one RACF® class. By using different CLASS parameters in each AUTHDEF statement, you can specify a different authorization scheme for each system.

To control access to IBM Z Workload Scheduler functions, give at least one TSO user-class authority to the resource class. This TSO user can then allow other IBM Z Workload Scheduler users to access resources as needed.

IBM Z Workload Scheduler also uses the APPL resource class. Define the subsystem name as a resource in the APPL class.The easiest way to do this is to have the RACF® administrator give class authority to the APPL resource class to one TSO user. This TSO user defines the subsystem name (for example, OPCC) to the APPL resource class by entering: 
/*Define subsystem resource*/
RDEFINE APPL OPCC  UACC(NONE)

See RACF® Command Reference and RACF® Administrator's Guide if you are unfamiliar with this process.

When the subsystem name is defined to RACF®, you can give other TSO users access to IBM Z Workload Scheduler. For example, to allow the TSO user OPCUGRP to access OPCC with an update access authority by default, enter:

/*Permit access to IBM Z Workload Scheduler*/
PERMIT OPCC ID(OPCUGRP) ACCESS(UPDATE) CLASS(APPL)
For remote dialog users and remotely run PIF applications, the server will do the authority checking; it will check both the APPL class subsystem name resource and the scheduler fixed resources. The user for which the server does authority checking is:
  • For dialog users, the TSO user ID.
  • For PIF applications, the user ID defined in the security environment of the PIF job.