Functions and data that you can protect

You can use fixed resources and subresources to protect Tivoli Workload Scheduler for z/OS functions and data. Fixed resources are always checked as part of the Tivoli Workload Scheduler for z/OS dialog. Subresources are checked only if they are defined in the AUTHDEF statement.

Table 26 describes all fixed resources and subresources. Use the table to determine which resources you should define to RACF®. You use Table 27 to determine what access is required to the defined resources for each user.

Note:

The subresource name and the RACF resource name are not the same. You specify the subresource name shown in column 2 on the SUBRESOURCES keyword of AUTHDEF to start subresource verification. The corresponding RACF resource name shown in column 3 must be defined in the general resource class used by Tivoli Workload Scheduler for z/OS, which is specified on the CLASS keyword of AUTHDEF.

|Table 26. Protected fixed resources and subresources
\|Fixed resource	\|Subresource	\|RACF resource \|name	\|Description
\| \| AD \|	\| \| \|AD.ADNAME \|AD.ADGDDEF \|AD.NAME \|AD.OWNER \|AD.GROUP \|AD.JOBNAME \|AD.SECELEM \|AD.UFVAL \|	\| \| AD \|ADA.name \|ADD.name \|ADN.name \|ADO.name \|ADG.name \|ADJ.name \|ADM.NAME \|ADU.field_name.field_value \|	\| \| Application-description file \|Application name \|Group-definition-ID name \|Operation extended name in application-description \|Owner ID \|Authority group ID \|Operation job name in application description \|Security element name \|User field name and value. \|
\|ADEP	\|	\|ADEP	\|Selecting all dependencies in the QCP dialog
\| \| CL \|	\| \| \|CL.CALNAME \|	\| \| CL \|CLC.name \|	\| \| Calendar data \|Calendar name \|
\| \| CP \|	\| \| \|CP.ADNAME \|CP.CPGDDEF \|CP.NAME \|CP.OWNER \|CP.GROUP \|CP.JOBNAME \|CP.WSNAME \|CP.ZWSOPER \|CP.SECELEM \|CP.UFVAL \|	\| \| CP \|CPA.name \|CPD.name \|CPN.name \|CPO.name \|CPG.name \|CPJ.name \|CPW.name \|CPZ.name \|CPM name \|CPU.field_name.field_value \|	\| \| Current-plan file \|Occurrence name \|Occurrence group-definition-ID \|Operation extended name \|Occurrence owner ID \|Occurrence authority-group ID \|Occurrence operation name \|Current plan workstation name \|Workstation name used by an operation \|Security element name \|Operation user field name and value. \|
\| \| ETT \|	\| \| \|ET.ETNAME \|ET.ADNAME \|	\| \| ETT \|ETE.name \|ETA.name \|	\| \| ETT dialog \|Name of triggering event \|Name of application to be added \|
\|HIST	\|	\|HIST	\|Retrieving history data with HIST command
\| \| \|JL\| \|	\| \| \|JLD.NAME \|JLM.NAME \|	\| \| JL \|JLD.name \|JLM.name \|	\| \| Job library data sets \|Job library dataset name \|JCL member name \|
\| \| JS \|	\| \| \|JS.ADNAME \|JS.OWNER \|JS.GROUP \|JS.JOBNAME \|JS.WSNAME \|	\| \| JS \|JSA.name \|JSO.name \|JSG.name \|JSJ.name \|JSW.name \|	\| \| JCL and job-library file \|Occurrence name \|Occurrence owner ID \|Occurrence authority group ID \|Occurrence operation name \|Current plan workstation name \|
\| \| JV \|	\| \| \|JV.OWNER \|JV.TABNAME \|	\| \| JV \|JVO.name \|JVT.name \|	\| \| JCL variable-definition file \|Owner ID of JCL-variable-definition table \|Name of JCL-variable table \|
\| \| LT \|	\| \| \|LT.ADNAME \|LT.LTGDDEF \|LT.OWNER \|	\| \| LT \|LTA.name \|LTD.name \|LTO.name \|	\| \| Long-term-plan file \|Occurrence name \|Occurrence group-definition ID \|Occurrence owner ID \|
\| \| OI \|	\| \| \|OI.ADNAME \|	\| \| OI \|OIA.name \|	\| \| Operator-instruction file \|Application name \|
\| \| PR \|	\| \| \|PR.PERNAME \|	\| \| PR \|PRP.name \|	\| \| Period data \|Period name \|
\| \| RL \|	\| \| \|RL.ADNAME \|RL.OWNER \|RL.GROUP \|RL.WSNAME \|RL.WSSTAT \|	\| \| RL \|RLA.name \|RLO.name \|RLG.name \|RLW.name \|RLX.name \|	\| \| Ready list data \|Occurrence name \|Occurrence owner ID \|Occurrence authority-group ID \|Current-plan workstation name \|Current-plan workstation changed by WSSTAT \|
\| \| RD \|	\| \| \|RD.RDNAME \|	\| \| RD \|RDR.name \|	\| \| Special resources file \|Special resource name \|
\| \| RP \|	\| \| \|RP.REPTYPE \|	\| \| RP \|RPT.reptype \|	\| \| Dynamic Workload Console reports \|Report type depending on the report you request: \| \| \| RUNHIST \| For job run history reports. \| \| RUNSTATS \| For job run statistics. \| \| WWR \| For workstation workload runtimes reports. \| \| WWS \| For workstation workload summary. \| \| SQL \| For reports obtained by customized SQL queries. \| \|
\| \| SR \|	\| \| \|SR.SRNAME \|	\| \| SR \|SRS.name \|	\| \| Special resources in the current plan \|Special resource name \|
\| \| WS \|	\| \| \|WS.WSNAME \|	\| \| WS \|WSW.name \|	\| \| Workstation data \|Workstation name in workstation database \|
\| \| ARC \|	\| \| \|	\| \| ARC \|	\| \| Activate/deactivate automatic recovery \|
\| \| BKP \|	\| \| \|	\| \| BKP \|	\| \| Request backup of a resource data set \|
\| \| BUL \|	\| \| \|	\| \| BUL \|	\| \| Initiate bulk discovery for the monitoring agent \|
\| \| CMAC \|	\| \| \|	\| \| CMAC \|	\| \| Dataset and Catalog Cleanup used by the Restart and \|Cleanup function. \|
\| \| CONT \|	\| \| \|	\| \| CONT \|	\| \| Refresh RACF subresources \|
\| \| ETAC \|	\| \| \|	\| \| ETAC \|	\| \| Activate/deactivate event-triggered tracking \|
\| \| EXEC \|	\| \| \|	\| \| EXEC \|	\| \| EX (execute) row command \|
\| \| JSUB \|	\| \| \|	\| \| JSUB \|	\| \| Activate/deactivate job submit \|
\| \| REFR \|	\| \| \|	\| \| REFR \|	\| \| Refresh LTP and delete CP \|
\| \| WSCL \|	\| \| \|	\| \| WSCL \|	\| \| All-workstations-closed data \|

As shown in Table 26, these items exist only as fixed resources:

Name: Protects
ADEP: The use of ALL DEP inquiry from EQQSOPGD panel in the Query Current Plan (QCP) dialog. To use this function, you need read or update authority to the ADEP fixed resource.
ARC: The ACTIVATE/DEACTIVATE automatic recovery function in the Tivoli Workload Scheduler for z/OS Service Functions dialog. To use this function, you need update authority to the ARC fixed resource.
BKP: The use of the BACKUP command. BACKUP lets you request a backup of the current plan data set or JCL repository data set. To use this command, you need to update access to the BKP fixed resource on the system where the command is issued.
BUL: The use of the BULKDISC command. BULKDISC allows you to initiate a bulk discovery. To use this command you need update access to the BUL fixed resource on the system where the command is issued.
CMAC: The Restart and Cleanup function in the Tivoli® Workload Scheduler for z/OS® panels. To use Step Restart, Job Restart and Start Cleanup update authority is needed to the CMAC fixed resource. No authority is required to CMAC for use of Display Cleanup.
CONT: The RACF RESOURCES function in the Tivoli Workload Scheduler for z/OS Service Functions dialog. This lets you activate subresources that are defined after Tivoli Workload Scheduler for z/OS started. To use this function, you need update authority to the CONT fixed resource.
ETAC: The ACTIVATE/DEACTIVATE ETT function in the Service Functions dialog. To use this function, you need update authority to the ETAC fixed resource.
EXEC: The use of the EX (execute) row command. You can issue this command from the Modify Current® Plan dialog and workstation ready lists, if you have update access to the EXEC fixed resource.
JSUB: The ACTIVATE/DEACTIVATE job submission function in the Tivoli Workload Scheduler for z/OS Service Functions dialog or TSO JSUACT command. To use this function, you need update authority to the JSUB fixed resource.
REFR: The REFRESH function (Delete current plan and reset long-term plan) in the Tivoli Workload Scheduler for z/OS Service Functions dialog. To use this function, you need update authority to the REFR fixed resource.
WSCL: The All Workstations Closed function of the Workstation Description dialog. To browse the list of time intervals when all workstations are closed, you need read authority to the WSCL fixed resource. To update the list, you need update authority to the WSCL fixed resource.

Attention: Ensure you restrict access to these fixed resources to users who require them. REFR is particularly important because this function deletes the current plan.

Notes® on fixed resources and subresources:

The AD.JOBNAME and CP.JOBNAME subresources protect only the JOBNAME field within an application or occurrence. You use these subresources to limit the job names to which the user has access during job setup and similar tasks. If you do not use these subresources, a dialog user might obtain greater authority by using Tivoli Workload Scheduler for z/OS to perform certain functions. For example, a user could submit an unauthorized job by adding an application to the current plan, changing the job name, and then letting Tivoli Workload Scheduler for z/OS submit the job.
For these subresources, only the ACCESS(UPDATE) level is meaningful.
The subresources AD.GROUP, CP.GROUP, JS.GROUP, and RL.GROUP are used to protect access to Tivoli Workload Scheduler for z/OS data based on the authority group ID and not application description groups.
The subresource data is passed to SAF without modifications. Your security product might have restrictions on which characters it allows. For example, RACF resource names cannot contain asterisks, embedded blanks, or DBCS characters.
The EQQ9RFDE member in the sample library updates the class-descriptor tables with a Tivoli Workload Scheduler for z/OS-specific class called OPCCLASS.
Use the CP.ZWSOPER subresource if you want to protect an operation based on the name of the workstation where the operation will be started. You must have update access to this subresource if you want to modify an operation. If you want to specify dependencies between operations, you must have update authority to both the predecessor and successor operations.
You can use the CP.ZWSOPER subresource to protect against updates to an operation in an occurrence or the unauthorized deletion or addition of an operation in an occurrence. This subresource is not used to protect the addition of an occurrence to the current plan or to protect an occurrence in the current plan that a user attempts to delete, set to waiting, or set to complete. When an occurrence is rerun, access authority is checked only for the particular operation that the rerun is started from.

The subresource CP.ZWSOPER is unlike the subresource CP.WSNAME, which protects workstations but does not protect against updates to operations.
When no current plan occurrence information is available, subresource protection for job setup and JCL editing tasks is based on information from the application description. For example, if you are adding an occurrence to the CP and you request JCL edit for an operation, subresource requests using owner ID or authority group ID are issued using the owner ID or authority group ID defined in the AD, because the CP occurrence does not yet exist. Similarly, when editing JCL in the LTP dialog, subresources are based on CP occurrence information, if the occurrence is in the CP. If the occurrence is not in the CP, subresource requests are issued using information from the AD.
The use the HIST (history) command from the Tivoli Workload Scheduler for z/OS panels, you need at least READ access to the HIST fixed resource.
|Security checks are not performed on user fields |for which there is no value specified.
|AD.UFVAL and CP.UFVAL subresources: |
- The AD.UFVAL and CP.UFVAL subresources are used to protect user |field names and values. If you specify these subresources in an AUTHDEF |statement using the predefined class, IBMOPC, note that the IBMOPC |profile supports user fields not longer than 54 characters. The 54 |characters is the sum of the characters that comprise the following |string: |
  - For the AD.UFVAL subresource: ADU.<field_name>.<field_value>
  - For the CP.UFVAL subresource: CPU.<field_name>.<field_value>
  Therefore, if you require protection for user fields longer than |54 characters, then you must manually create a new RACF profile, or use an existing profile you have |defined, that supports user fields with values longer than 54 characters. |For example, the profile could specify MAXLNTH=80 to ensure longer |user field names and values are supported.
- The characters permitted in the ADU.<field_name>.<field_value> |and CPU.<field_name>.<field_value> strings |depend on the security product you use through the system authorization |facility (SAF). The security product can be RACF or any other product that works with SAF. No |checks are performed to validate the characters used, so you must |be careful not to use characters than can cause unexpected results. |For example, avoid using characters that are considered wildcard characters |for the security product you are using. In the case of RACF, this means avoid using the |following wildcard characters: [*, %].

\|Fixed resource	\|Subresource	\|RACF resource \|name	\|Description
\| \| AD \|	\| \| \|AD.ADNAME \|AD.ADGDDEF \|AD.NAME \|AD.OWNER \|AD.GROUP \|AD.JOBNAME \|AD.SECELEM \|AD.UFVAL \|	\| \| AD \|ADA.name \|ADD.name \|ADN.name \|ADO.name \|ADG.name \|ADJ.name \|ADM.NAME \|ADU.field_name.field_value \|	\| \| Application-description file \|Application name \|Group-definition-ID name \|Operation extended name in application-description \|Owner ID \|Authority group ID \|Operation job name in application description \|Security element name \|User field name and value. \|
\|ADEP	\|	\|ADEP	\|Selecting all dependencies in the QCP dialog
\| \| CL \|	\| \| \|CL.CALNAME \|	\| \| CL \|CLC.name \|	\| \| Calendar data \|Calendar name \|
\| \| CP \|	\| \| \|CP.ADNAME \|CP.CPGDDEF \|CP.NAME \|CP.OWNER \|CP.GROUP \|CP.JOBNAME \|CP.WSNAME \|CP.ZWSOPER \|CP.SECELEM \|CP.UFVAL \|	\| \| CP \|CPA.name \|CPD.name \|CPN.name \|CPO.name \|CPG.name \|CPJ.name \|CPW.name \|CPZ.name \|CPM name \|CPU.field_name.field_value \|	\| \| Current-plan file \|Occurrence name \|Occurrence group-definition-ID \|Operation extended name \|Occurrence owner ID \|Occurrence authority-group ID \|Occurrence operation name \|Current plan workstation name \|Workstation name used by an operation \|Security element name \|Operation user field name and value. \|
\| \| ETT \|	\| \| \|ET.ETNAME \|ET.ADNAME \|	\| \| ETT \|ETE.name \|ETA.name \|	\| \| ETT dialog \|Name of triggering event \|Name of application to be added \|
\|HIST	\|	\|HIST	\|Retrieving history data with HIST command
\| \| \|JL\| \|	\| \| \|JLD.NAME \|JLM.NAME \|	\| \| JL \|JLD.name \|JLM.name \|	\| \| Job library data sets \|Job library dataset name \|JCL member name \|
\| \| JS \|	\| \| \|JS.ADNAME \|JS.OWNER \|JS.GROUP \|JS.JOBNAME \|JS.WSNAME \|	\| \| JS \|JSA.name \|JSO.name \|JSG.name \|JSJ.name \|JSW.name \|	\| \| JCL and job-library file \|Occurrence name \|Occurrence owner ID \|Occurrence authority group ID \|Occurrence operation name \|Current plan workstation name \|
\| \| JV \|	\| \| \|JV.OWNER \|JV.TABNAME \|	\| \| JV \|JVO.name \|JVT.name \|	\| \| JCL variable-definition file \|Owner ID of JCL-variable-definition table \|Name of JCL-variable table \|
\| \| LT \|	\| \| \|LT.ADNAME \|LT.LTGDDEF \|LT.OWNER \|	\| \| LT \|LTA.name \|LTD.name \|LTO.name \|	\| \| Long-term-plan file \|Occurrence name \|Occurrence group-definition ID \|Occurrence owner ID \|
\| \| OI \|	\| \| \|OI.ADNAME \|	\| \| OI \|OIA.name \|	\| \| Operator-instruction file \|Application name \|
\| \| PR \|	\| \| \|PR.PERNAME \|	\| \| PR \|PRP.name \|	\| \| Period data \|Period name \|
\| \| RL \|	\| \| \|RL.ADNAME \|RL.OWNER \|RL.GROUP \|RL.WSNAME \|RL.WSSTAT \|	\| \| RL \|RLA.name \|RLO.name \|RLG.name \|RLW.name \|RLX.name \|	\| \| Ready list data \|Occurrence name \|Occurrence owner ID \|Occurrence authority-group ID \|Current-plan workstation name \|Current-plan workstation changed by WSSTAT \|
\| \| RD \|	\| \| \|RD.RDNAME \|	\| \| RD \|RDR.name \|	\| \| Special resources file \|Special resource name \|
\| \| RP \|	\| \| \|RP.REPTYPE \|	\| \| RP \|RPT.reptype \|	\| \| Dynamic Workload Console reports \|Report type depending on the report you request: \| \| \| RUNHIST \| For job run history reports. \| \| RUNSTATS \| For job run statistics. \| \| WWR \| For workstation workload runtimes reports. \| \| WWS \| For workstation workload summary. \| \| SQL \| For reports obtained by customized SQL queries. \| \|
\| \| SR \|	\| \| \|SR.SRNAME \|	\| \| SR \|SRS.name \|	\| \| Special resources in the current plan \|Special resource name \|
\| \| WS \|	\| \| \|WS.WSNAME \|	\| \| WS \|WSW.name \|	\| \| Workstation data \|Workstation name in workstation database \|
\| \| ARC \|	\| \| \|	\| \| ARC \|	\| \| Activate/deactivate automatic recovery \|
\| \| BKP \|	\| \| \|	\| \| BKP \|	\| \| Request backup of a resource data set \|
\| \| BUL \|	\| \| \|	\| \| BUL \|	\| \| Initiate bulk discovery for the monitoring agent \|
\| \| CMAC \|	\| \| \|	\| \| CMAC \|	\| \| Dataset and Catalog Cleanup used by the Restart and \|Cleanup function. \|
\| \| CONT \|	\| \| \|	\| \| CONT \|	\| \| Refresh RACF subresources \|
\| \| ETAC \|	\| \| \|	\| \| ETAC \|	\| \| Activate/deactivate event-triggered tracking \|
\| \| EXEC \|	\| \| \|	\| \| EXEC \|	\| \| EX (execute) row command \|
\| \| JSUB \|	\| \| \|	\| \| JSUB \|	\| \| Activate/deactivate job submit \|
\| \| REFR \|	\| \| \|	\| \| REFR \|	\| \| Refresh LTP and delete CP \|
\| \| WSCL \|	\| \| \|	\| \| WSCL \|	\| \| All-workstations-closed data \|