Authorizing Tivoli Workload Scheduler for z/OS Data Store to issue JES commands
If your system has RACF® Version 1 Release 9 or later, and JES2 or JES3 Version 3 Release 1 Modification level 3 or later, consider the following resource classes when implementing security for Data Store. The examples assume that the RACF user for the Data Store address space is OPCDS, which is the name specified in the started-procedure table.
- OPERCMDS
- If the OPERCMDS class is active, the Data Store must be authorized
to issue the JES command. One method is to allow the Data Store to
issue all JES commands. To do this on a JES system, perform the following
steps:
- Define the resource:
RDEFINE OPERCMDS JES2.* UACC(NONE)
- Authorize Data Store:
PERMIT JES2.* CLASS(OPERCMDS) ID(OPCDS) ACC(UPDATE)
Authority to use the z/OS start command is also required if you use Hiperbatch support for Tivoli Workload Scheduler for z/OS operations.
- Define the resource:
- JESSPOOL
- If the JESSPOOL class is active, you must authorize the Data
Store to access SYSOUT data sets for all jobs managed by the Data
Store itself. One way of doing this is to permit the Data Store user
to access all SYSOUT data sets. To do this, perform these steps on
each system where the Data Store is started:
- Define the resource:
RDEFINE JESSPOOL *.* UACC(NONE)
- Authorize Data Store:
PERMIT *.* CLASS(JESSPOOL) ID(OPCDS) ACC(ALTER)
If the privileged or trusted attribute is set to in the Started Procedure Table (SPT) entry for the Data Store, then the address space is authorized to issue any command and process spool data sets regardless of what is defined in the resource rules.
See the RACF Administrator's Guide for detailed information.
- Define the resource: