A centralized security strategy
All Tivoli Workload Scheduler for z/OS users are gathered in one area. They have at least a working knowledge of all the major functions of Tivoli Workload Scheduler for z/OS. Because they share the same tasks, there is little need to divide authority.
The only outside Tivoli Workload Scheduler for z/OS users are at the printer pool, where operators report progress on a print ready list. Machine room operators do not have Tivoli Workload Scheduler for z/OS tasks; people in the Tivoli Workload Scheduler for z/OS area perform reruns and JCL corrections themselves.
These RACF® groups are defined:
- Group
- Contains
- OPCGROUP
- Most of the Tivoli Workload Scheduler for z/OS users.
- OPCSPEC
- The manager, the two group leaders, the system programmers responsible for Tivoli Workload Scheduler for z/OS, and their backups.
- OPCPRINT
- The users of the ready list at the printer pool.
External access to IBM Tivoli Workload Scheduler for z/OS
Update access to the Tivoli Workload Scheduler for z/OS data sets is given to OPCSPEC. This provides access outside Tivoli Workload Scheduler for z/OS so that the manager and group leaders can submit batch jobs that cause updates, such as daily-plan-extend. The system programmers can use non-Tivoli Workload Scheduler for z/OS programs to extract diagnostic information.
Access through the IBM Tivoli Workload Scheduler for z/OS subsystem
These authorization layers are defined:
- Subsystem access: OPCSPEC and OPCGROUP are given update access in the APPL class, which lets them use all functions (fixed resources) in the Tivoli Workload Scheduler for z/OS dialog that are not specifically protected. OPCPRINT is given read access to the Tivoli Workload Scheduler for z/OS subsystem in the APPL class.
- Critical functions: Some fixed resources, such as JSUB and REFR,
represent functions that have a serious impact on Tivoli Workload Scheduler for z/OS operation,
and can be turned on or off with a single keystroke. Access to these
functions is restricted to OPCSPEC to reduce the risk of accidental
errors:
RDEFINE (OPCCLASS) ARC UACC(NONE) PERMIT ARC ID(OPCSPEC) ACCESS(UPDATE) CLASS(OPCCLASS)
These steps are repeated for ETAC, JSUB, and REFR.
- Data updated infrequently: Some Tivoli Workload Scheduler for z/OS data is updated infrequently,
for example, the calendar database is typically updated only once
each year, and workstation data even less often. These databases are
used by most Tivoli Workload Scheduler for z/OS functions, so it is a good idea to restrict update
access to them:
RDEFINE (OPCCLASS) CL UACC(READ) PERMIT CL ID(OPCSPEC) ACCESS(UPDATE) CLASS(OPCCLASS)
These steps are repeated for PR and WS. - Subresource protection: The only subresources are defined for
the printer workstation. The OPCPRINT group already has read access
to the resources in the APPL class. This lets printer-pool operators
enter the functions of Tivoli Workload Scheduler for z/OS and browse the data. They must also
be able to update the ready list at a printer workstation (but not
at other workstations):
- The fixed resource RL is defined, and OPCPRINT, OPCGROUP, and
OPCSPEC are given update access to it:
RDEFINE (OPCCLASS) RL UACC(NONE) PERMIT RL ID(OPCSPEC) ACCESS(UPDATE) CLASS(OPCCLASS) PERMIT RL ID(OPCGROUP) ACCESS(UPDATE) CLASS(OPCCLASS) PERMIT RL ID(OPCPRINT) ACCESS(UPDATE) CLASS(OPCCLASS)
This lets the printer-pool operators enter the Workstation Communication dialog without authority violations.
- The subresource RLW.* is defined. Both OPCGROUP and OPCSPEC are
given update access; OPCPRINT is given only read access:
RDEFINE (OPCCLASS) RLW.* UACC(NONE) PERMIT RLW.* ID(OPCSPEC) ACCESS(UPDATE) CLASS(OPCCLASS) PERMIT RLW.* ID(OPCGROUP) ACCESS(UPDATE) CLASS(OPCCLASS) PERMIT RLW.* ID(OPCPRINT) ACCESS(READ) CLASS(OPCCLASS)
This becomes the default access for all workstations that are not explicitly defined with further subresource definitions.
- Finally, the subresource RLW.PRT is defined; PRT is the Tivoli Workload Scheduler for z/OS name
of the workstation. OPCPRINT is given update access:
RDEFINE (OPCCLASS) RLW.PRT UACC(NONE) PERMIT RLW.PRT ID(OPCSPEC) ACCESS(UPDATE) CLASS(OPCCLASS) PERMIT RLW.PRT ID(OPCGROUP) ACCESS(UPDATE) CLASS(OPCCLASS) PERMIT RLW.PRT ID(OPCPRINT) ACCESS(UPDATE) CLASS(OPCCLASS)
OPCPRINT group members can now browse data in Tivoli Workload Scheduler for z/OS and update the ready list for the printer pool.
- The fixed resource RL is defined, and OPCPRINT, OPCGROUP, and
OPCSPEC are given update access to it: