Controlling access to Tivoli Workload Scheduler for z/OS fixed resources

You will probably want to place more restrictions on access to resources. For example, one user might need update access to the JCL and job library file but need only read access to calendar data. You achieve this level of control by specifying Tivoli Workload Scheduler for z/OS fixed resources in a general resource class used by Tivoli Workload Scheduler for z/OS. RACF® provides a IBM® reserved resource class, IBMOPC. For a checklist about using RACF classes, refer to CLASS parameter description in AUTHDEF.

Note:

Preventing a user from accessing a data set might not prevent the user from updating the data within the data set. When using Tivoli Workload Scheduler for z/OS dialogs, users access Tivoli Workload Scheduler for z/OS data through the Tivoli Workload Scheduler for z/OS subsystem with the subsystem level of access.

Table 26 shows the fixed resources that you can protect.

When you define the resource names of the Tivoli Workload Scheduler for z/OS fixed resources you want to protect, you grant a level of access to users. These access levels are meaningful:

ACCESS(NONE)
ACCESS(READ)
ACCESS(UPDATE)

ACCESS(ALTER) has no code support in IBM Tivoli Workload Scheduler for z/OS for either fixed resources or subresources. ALTER gives the same level of access as UPDATE.

If you change a user’s access level or remove the user’s profile entirely, the change does not take effect until the user exits the IBM Tivoli Workload Scheduler for z/OS dialog and tries to enter it again. Remember that the default access to IBM Tivoli Workload Scheduler for z/OS fixed resources is determined by the user’s level of access to the IBM Tivoli Workload Scheduler for z/OS subsystem.

RACF does not check for a RACF class until that class is activated. You can activate a class by using the ACTIVATE parameter of the SETROPTS command.