A centralized security strategy

All Tivoli Workload Scheduler for z/OS users are gathered in one area. They have at least a working knowledge of all the major functions of Tivoli Workload Scheduler for z/OS. Because they share the same tasks, there is little need to divide authority.

The only outside Tivoli Workload Scheduler for z/OS users are at the printer pool, where operators report progress on a print ready list. Machine room operators do not have Tivoli Workload Scheduler for z/OS tasks; people in the Tivoli Workload Scheduler for z/OS area perform reruns and JCL corrections themselves.

These RACF® groups are defined:

Group

Contains

OPCGROUP

Most of the Tivoli Workload Scheduler for z/OS users.

OPCSPEC

The manager, the two group leaders, the system programmers responsible for Tivoli Workload Scheduler for z/OS, and their backups.

OPCPRINT

The users of the ready list at the printer pool.

External access to IBM Tivoli Workload Scheduler for z/OS

Update access to the Tivoli Workload Scheduler for z/OS data sets is given to OPCSPEC. This provides access outside Tivoli Workload Scheduler for z/OS so that the manager and group leaders can submit batch jobs that cause updates, such as daily-plan-extend. The system programmers can use non-Tivoli Workload Scheduler for z/OS programs to extract diagnostic information.

Access through the IBM Tivoli Workload Scheduler for z/OS subsystem

These authorization layers are defined:

1. Subsystem access: OPCSPEC and OPCGROUP are given update access in the APPL class, which lets them use all functions (fixed resources) in the Tivoli Workload Scheduler for z/OS dialog that are not specifically protected. OPCPRINT is given read access to the Tivoli Workload Scheduler for z/OS subsystem in the APPL class.
2. Critical functions: Some fixed resources, such as JSUB and REFR, represent functions that have a serious impact on Tivoli Workload Scheduler for z/OS operation, and can be turned on or off with a single keystroke. Access to these functions is restricted to OPCSPEC to reduce the risk of accidental errors:

    RDEFINE (OPCCLASS) ARC UACC(NONE)
    PERMIT ARC ID(OPCSPEC) ACCESS(UPDATE) CLASS(OPCCLASS)

   These steps are repeated for ETAC, JSUB, and REFR.

3. Data updated infrequently: Some Tivoli Workload Scheduler for z/OS data is updated infrequently, for example, the calendar database is typically updated only once each year, and workstation data even less often. These databases are used by most Tivoli Workload Scheduler for z/OS functions, so it is a good idea to restrict update access to them:

    RDEFINE (OPCCLASS) CL UACC(READ)
    PERMIT CL ID(OPCSPEC) ACCESS(UPDATE) CLASS(OPCCLASS)

   These steps are repeated for PR and WS.
4. Subresource protection: The only subresources are defined for the printer workstation. The OPCPRINT group already has read access to the resources in the APPL class. This lets printer-pool operators enter the functions of Tivoli Workload Scheduler for z/OS and browse the data. They must also be able to update the ready list at a printer workstation (but not at other workstations):
   1. The fixed resource RL is defined, and OPCPRINT, OPCGROUP, and OPCSPEC are given update access to it:

       RDEFINE (OPCCLASS) RL UACC(NONE)
       PERMIT RL ID(OPCSPEC) ACCESS(UPDATE) CLASS(OPCCLASS)
       PERMIT RL ID(OPCGROUP) ACCESS(UPDATE) CLASS(OPCCLASS)
       PERMIT RL ID(OPCPRINT) ACCESS(UPDATE) CLASS(OPCCLASS)

      This lets the printer-pool operators enter the Workstation Communication dialog without authority violations.

   2. The subresource RLW.* is defined. Both OPCGROUP and OPCSPEC are given update access; OPCPRINT is given only read access:

       RDEFINE (OPCCLASS) RLW.* UACC(NONE)
       PERMIT RLW.* ID(OPCSPEC) ACCESS(UPDATE) CLASS(OPCCLASS)
       PERMIT RLW.* ID(OPCGROUP) ACCESS(UPDATE) CLASS(OPCCLASS)
       PERMIT RLW.* ID(OPCPRINT) ACCESS(READ) CLASS(OPCCLASS)

      This becomes the default access for all workstations that are not explicitly defined with further subresource definitions.

   3. Finally, the subresource RLW.PRT is defined; PRT is the Tivoli Workload Scheduler for z/OS name of the workstation. OPCPRINT is given update access:

       RDEFINE (OPCCLASS) RLW.PRT UACC(NONE)
       PERMIT RLW.PRT ID(OPCSPEC) ACCESS(UPDATE) CLASS(OPCCLASS)
       PERMIT RLW.PRT ID(OPCGROUP) ACCESS(UPDATE) CLASS(OPCCLASS)
       PERMIT RLW.PRT ID(OPCPRINT) ACCESS(UPDATE) CLASS(OPCCLASS)

   OPCPRINT group members can now browse data in Tivoli Workload Scheduler for z/OS and update the ready list for the printer pool.