How Tivoli Workload Scheduler for z/OS verifies access authority
To verify access authority, Tivoli Workload Scheduler for z/OS uses the RACROUTE macro. This macro has a general-purpose interface to a security product through the system authorization facility (SAF). The security product can be RACF® or any other product that works with SAF. In this chapter, RACF commands show how Tivoli Workload Scheduler for z/OS interfaces with a security product.
To verify a user’s authority, Tivoli Workload Scheduler for z/OS uses the RACROUTE macro to invoke the SAF z/OS router. This conditionally directs control to RACF, if present.
The RACROUTE options that Tivoli Workload Scheduler for z/OS uses invoke these RACF functions:
- RACINIT
- Provides RACF user identification and verification when Tivoli Workload Scheduler for z/OS services are requested. (Tivoli Workload Scheduler for z/OS does not have its own logon panel or user IDs.)
- RACLIST
- Builds in-storage profiles for resources defined by RACF, which improve performance
for resource authorization checking.
Note:Some security products do not support this function. If you are using such a product, RACLIST is effectively a no operation.
- RACHECK
- Provides authorization checking when you request access to a
RACF-protected resource, for example, when you access:
- Data (such as the current plan)
- A function (such as REFRESH)
- FRACHECK
- Provides authorization checking in the Tivoli Workload Scheduler for z/OS subsystem.
Note:Security products that do not support RACLIST convert FRACHECK requests to the corresponding RACHECK request. This could have a severe impact on the performance of some IBM Tivoli Workload Scheduler for z/OS dialog functions.