Controlling access to the Tivoli Workload Scheduler for z/OS subsystem

Specify the name of your host Tivoli Workload Scheduler for z/OS subsystem as a resource in the APPL class with default access NONE. You can effectively control access to Tivoli Workload Scheduler for z/OS dialog functions by allowing or denying users access to the subsystem resource. If the user runs any batch jobs that use the subsystem, these batch jobs are similarly restricted. For example, to permit only user group OPCUGRP access to subsystem OPCC, and to grant update authority, you enter:

 RDEFINE APPL OPCC  UACC(NONE)
 PERMIT OPCC ID(OPCUGRP) ACCESS(UPDATE) CLASS(APPL)

When a dialog user tries to access a subsystem (for example, OPCC), RACF® looks in the APPL class to see if this resource is defined. If the resource is defined and the access authority is read or update, the user can continue. If the resource is not defined, the dialog user has update access to all Tivoli Workload Scheduler for z/OS fixed resources.

Any TSO user with either read or update access to the subsystem resource in the RACF APPL class can enter the Tivoli Workload Scheduler for z/OS dialogs. By default, the user has the same access (read or update) to Tivoli Workload Scheduler for z/OS fixed resources.