Protecting data sets

For basic security of Tivoli Workload Scheduler for z/OS data, you should restrict access to all the product data sets.

Two categories of users need different levels of access to the product data sets:

• Software support people must be able to debug problems and reorganize VSAM files. You might give them alter access to all the product data sets.
• Administrators and operators must be able to use the product dialogs. They need read access to ISPF-related data sets (such as the panel and message libraries), but they do not access the databases (such as the workstation database) directly: these files are accessed by the Tivoli Workload Scheduler for z/OS subsystem, not by any code in the TSO user’s address space. Authority to access the data for a dialog user is given using the authorization functions provided by the product.

The Tivoli Workload Scheduler for z/OS started task needs:

• Alter access to VSAM data sets
• Read access to input data sets, such as the message library (EQQMLIB) and parameter library (EQQPARM)
• Update access to all other Tivoli Workload Scheduler for z/OS data sets
• Update access to catalogs and alter access to data sets for all work that Tivoli Workload Scheduler for z/OS tracks, if you use the Restart and Cleanup function.