AUTHDEF
Purpose
The AUTHDEF statement specifies the Tivoli Workload Scheduler for z/OS resources that are defined to a security product.
You can specify this statement for a controller, a standby controller, or a tracker.
AUTHDEF is defined in the member of the EQQPARM library as specified by the PARM parameter on the JCL EXEC statement.
Format
>>-AUTHDEF--+-------------------------------------+-------------> | .-OPCCLASS---------------. | '-CLASS(-+-name of resource class-+-)-' >--+--------------------------+---------------------------------> | .-ALL---. | '-LISTLOGGING(-+-FIRST-+-)-' '-NONE--' >--+------------------------------------+--+----------------+-->< | .-,--------------. | | .-0-. | | V | | '-TRACE(-+-4-+-)-' '-SUBRESOURCES(---+-AD.ADNAME--+-+-)-' '-8-' +-AD.ADGDDEF-+ +-AD.GROUP---+ +-AD.JOBNAME-+ +-AD.NAME----+ +-AD.OWNER---+ +-AD.SECELEM-+ +-|AD.UFVAL---+ | +-CL.CALNAME-+ | +-CP.ADNAME--+ | +-CP.CPGDDEF-+ | +-CP.GROUP---+ | +-CP.JOBNAME-+ | +-CP.NAME----+ | +-CP.OWNER---+ | +-CP.SECELEM-+ | +-|CP.UFVAL---+ | +-CP.WSNAME--+ | +-CP.ZWSOPER-+ | +-ET.ADNAME--+ | +-ET.ETNAME--+ | +-|JL.DSNAME--+ | +-|JL.MEMBER--+ | +-JS.ADNAME--+ | +-JS.GROUP---+ | +-JS.JOBNAME-+ | +-JS.OWNER---+ | +-JS.WSNAME--+ | +-JV.OWNER---+ | +-JV.TABNAME-+ | +-LT.ADNAME--+ | +-LT.LTGDDEF-+ | +-LT.OWNER---+ | +-OI.ADNAME--+ | +-PR.PERNAME-+ | +-RD.RDNAME--+ | +-RL.ADNAME--+ | +-RL.GROUP---+ | +-RL.OWNER---+ | +-RL.WSNAME--+ | +-RL.WSSTAT--+ | +-SR.SRNAME--+ | '-WS.WSNAME--' | ||||
Parameters
- CLASS(name of resource class|OPCCLASS)
- Defines the name of the security resource class that protects Tivoli Workload Scheduler for z/OS resources.
The value is valid until you specify a different value and restart
the Tivoli Workload Scheduler for z/OS address space.
Consider the following checklist when using this parameter:
- The resource class must be defined in the RACF® class descriptor and routing tables.
- New definitions in the RACF class descriptor and routing tables require an IPL.
- If multiple controller subsystems require separate policies, they require separate classes.
- IBMOPC is a predefined class that you can use with no need for an IPL if only one class is required.
- After a RACF migration, consider redefining any class you defined in a previous version of RACF.
- The default class OPCCLASS is not already defined in RACF. Before using this class, make sure there are the necessary entries in the RACF class descriptor and routing tables.
- LISTLOGGING(FIRST|NONE|ALL)
- In the resource profile, you define how data is logged for accesses
to a resource. If you restrict access to Tivoli Workload Scheduler for z/OS data on the record
level by specifying subresources, a request to list Tivoli Workload Scheduler for z/OS data can
result in several access violations being recorded for those records
that satisfy the filter criteria but to which the user is not permitted
access. LISTLOGGING lets you alter the amount of data that is logged
for list requests.
Specify FIRST when logging should be performed only for the first read attempt to a resource. Logging occurs only for the first entry that has a profile, which specifies that logging should occur. Specify NONE if no logging should be performed. Specify ALL if logging should be performed as specified in the profile for the resource. ALL is the default value.
- SUBRESOURCES(resource,...,resource)
- Defines whether Tivoli Workload Scheduler for z/OS checks on the record level if a user
is authorized to access information in a Tivoli Workload Scheduler for z/OS VSAM file. The list
of resources can contain one or more of the items shown in the syntax
diagram.
Whenever a user accesses a record, for example in the AD file, Tivoli Workload Scheduler for z/OS checks if the user is authorized to access the record in the manner intended. To do this, a resource name is generated, and a request is sent through SAF (system authorization facility) to the security system to test the user authority. For example, if you specify AD.ADNAME, the application name is retrieved from the record, and the prefix ADA. is added to create the resource name. The security system is then called to test if this resource exists in the resource class defined by the CLASS keyword and if the user is authorized to access it. The default resource list for the SUBRESOURCES keyword is the empty list. This means that the default is to use already established authority and not to check the user authority to access individual VSAM records.
Note:If you have specified OPCHOST(NO) in the OPCOPTS statement, only the RL.WSNAME, RL.WSSTAT, and SR.SRNAME subresources are relevant. AD.SECELEM and CP.SECELEM are relevant only if you run System Automation version 3.1 (with the appropriate maintenance level installed), or later. When set, they protect the whole System Automation information in the AD segment and CP33 record, respectively. - TRACE(4|8|0)
- Defines if Tivoli Workload Scheduler for z/OS writes trace information to the message log (EQQMLOG) each time the RACROUTE macro is invoked. Specify 0, which is the default value, if you do not want trace information. Specify 4 if you want partial trace information. Specify 8 if you want full trace information.
Examples
AUTHDEF CLASS(OPCCLASS) 1 SUBRESOURCES(AD.ADNAME,WS.WSNAME) 2
In this example of an AUTHDEF statement:
- 1
- The default resource class is used.
- 2
- Tivoli Workload Scheduler for z/OS will verify authorization for application descriptions (by checking the application name) and workstations (by checking the workstation name).