Authorizing Tivoli Workload Scheduler for z/OS Data Store to issue JES commands

If your system has RACF® Version 1 Release 9 or later, and JES2 or JES3 Version 3 Release 1 Modification level 3 or later, consider the following resource classes when implementing security for Data Store. The examples assume that the RACF user for the Data Store address space is OPCDS, which is the name specified in the started-procedure table.

OPERCMDS

If the OPERCMDS class is active, the Data Store must be authorized to issue the JES command. One method is to allow the Data Store to issue all JES commands. To do this on a JES system, perform the following steps:

Define the resource:
```
 RDEFINE OPERCMDS JES2.* UACC(NONE)
```

Authorize Data Store:

 PERMIT JES2.* CLASS(OPERCMDS) ID(OPCDS) ACC(UPDATE)

On a JES3 system, replace JES2.* with JES3.* in the example. Alternatively, you could specify the JES%.* resource name for either a JES2 or JES3 system.

Authority to use the z/OS start command is also required if you use Hiperbatch support for Tivoli Workload Scheduler for z/OS operations.

JESSPOOL

If the JESSPOOL class is active, you must authorize the Data Store to access SYSOUT data sets for all jobs managed by the Data Store itself. One way of doing this is to permit the Data Store user to access all SYSOUT data sets. To do this, perform these steps on each system where the Data Store is started:

Define the resource:
```
 RDEFINE JESSPOOL *.* UACC(NONE)
```

Authorize Data Store:

 PERMIT *.* CLASS(JESSPOOL) ID(OPCDS) ACC(ALTER)

If the privileged or trusted attribute is set to in the Started Procedure Table (SPT) entry for the Data Store, then the address space is authorized to issue any command and process spool data sets regardless of what is defined in the resource rules.

See the RACF Administrator's Guide for detailed information.