Protecting data sets
For basic security of Tivoli Workload Scheduler for z/OS data, you should restrict access to all the product data sets.
Two categories of users need different levels of access to the product data sets:
- Software support people must be able to debug problems and reorganize VSAM files. You might give them alter access to all the product data sets.
- Administrators and operators must be able to use the product dialogs. They need read access to ISPF-related data sets (such as the panel and message libraries), but they do not access the databases (such as the workstation database) directly: these files are accessed by the Tivoli Workload Scheduler for z/OS subsystem, not by any code in the TSO user’s address space. Authority to access the data for a dialog user is given using the authorization functions provided by the product.
The Tivoli Workload Scheduler for z/OS started task needs:
- Alter access to VSAM data sets
- Read access to input data sets, such as the message library (EQQMLIB) and parameter library (EQQPARM)
- Update access to all other Tivoli Workload Scheduler for z/OS data sets
- Update access to catalogs and alter access to data sets for all work that Tivoli Workload Scheduler for z/OS tracks, if you use the Restart and Cleanup function.