How Tivoli Workload Scheduler for z/OS verifies access authority

To verify access authority, Tivoli Workload Scheduler for z/OS uses the RACROUTE macro. This macro has a general-purpose interface to a security product through the system authorization facility (SAF). The security product can be RACF® or any other product that works with SAF. In this chapter, RACF commands show how Tivoli Workload Scheduler for z/OS interfaces with a security product.

To verify a user’s authority, Tivoli Workload Scheduler for z/OS uses the RACROUTE macro to invoke the SAF z/OS router. This conditionally directs control to RACF, if present.

The RACROUTE options that Tivoli Workload Scheduler for z/OS uses invoke these RACF functions:

RACINIT

Provides RACF user identification and verification when Tivoli Workload Scheduler for z/OS services are requested. (Tivoli Workload Scheduler for z/OS does not have its own logon panel or user IDs.)

RACLIST

Builds in-storage profiles for resources defined by RACF, which improve performance for resource authorization checking.

Note:

Some security products do not support this function. If you are using such a product, RACLIST is effectively a no operation.

RACHECK

Provides authorization checking when you request access to a RACF-protected resource, for example, when you access:

• Data (such as the current plan)
• A function (such as REFRESH)

For more information about resources that you can protect, see Functions and data that you can protect.

FRACHECK

Provides authorization checking in the Tivoli Workload Scheduler for z/OS subsystem.

Note:

Security products that do not support RACLIST convert FRACHECK requests to the corresponding RACHECK request. This could have a severe impact on the performance of some IBM Tivoli Workload Scheduler for z/OS dialog functions.