Controlling access to Tivoli Workload Scheduler for z/OS fixed resources
You will probably want to place more restrictions on access to resources. For example, one user might need update access to the JCL and job library file but need only read access to calendar data. You achieve this level of control by specifying Tivoli Workload Scheduler for z/OS fixed resources in a general resource class used by Tivoli Workload Scheduler for z/OS. RACF® provides a IBM® reserved resource class, IBMOPC. For a checklist about using RACF classes, refer to CLASS parameter description in AUTHDEF.
Table 26 shows the fixed resources that you can protect.
When you define the resource names of the Tivoli Workload Scheduler for z/OS fixed resources you want to protect, you grant a level of access to users. These access levels are meaningful:
- ACCESS(NONE)
- ACCESS(READ)
- ACCESS(UPDATE)
ACCESS(ALTER) has no code support in IBM Tivoli Workload Scheduler for z/OS for either fixed resources or subresources. ALTER gives the same level of access as UPDATE.
If you change a user’s access level or remove the user’s profile entirely, the change does not take effect until the user exits the IBM Tivoli Workload Scheduler for z/OS dialog and tries to enter it again. Remember that the default access to IBM Tivoli Workload Scheduler for z/OS fixed resources is determined by the user’s level of access to the IBM Tivoli Workload Scheduler for z/OS subsystem.
RACF does not check for a RACF class until that class is activated. You can activate a class by using the ACTIVATE parameter of the SETROPTS command.