Authorizing Tivoli Workload Scheduler for z/OS as a job submitter
Consider the following resource classes when implementing security for Tivoli Workload Scheduler for z/OS. The examples assume that the RACF® user for the Tivoli Workload Scheduler for z/OS address space is OPCAPPL, which is the name specified in the started-procedure table.
- JESJOBS
- If
your installation has activated the JESJOBS class, you must permit Tivoli Workload Scheduler for z/OS to
submit all jobs that are defined in the current plan. One way of doing
this is to permit Tivoli Workload Scheduler for z/OS to submit all jobs. You can do this by:
- Defining the submit resource:
RDEFINE JESJOBS SUBMIT.*.*.* UACC(NONE) OWNER(OPCAPPL)
- Authorizing Tivoli Workload Scheduler for z/OS:
PERMIT SUBMIT.*.*.* CLASS(JESJOBS) ID(OPCAPPL) ACC(READ)
- Defining the submit resource:
- SURROGAT
- A surrogate job submission occurs when
all the following conditions are met:
- USER=xxxx is specified on the job card of the submitted job.
- The xxxx is not the same as the submitting (RACF) user.
- No password is specified on the job card.
You might use the job-submit exit (EQQUX001) to return a submitting user in the RUSER field. This is required if you want stand-alone cleanup jobs to be submitted with the same authority as the original job, otherwise you can replace it with surrogate job submission.
To permit Tivoli Workload Scheduler for z/OS to submit this job, perform the following steps:
- Activate the surrogate class:
SETROPTS CLASSACT(SURROGAT)
- Define the submit resource:
RDEFINE SURROGAT APLUSER.SUBMIT UACC(NONE) OWNER(APLUSER)
- Authorize Tivoli Workload Scheduler for z/OS:
PERMIT APLUSER.SUBMIT CLASS(SURROGAT) ID(OPCAPPL) ACC(READ)
If the PRIVILEGED or TRUSTED attribute is set in the Started Procedure Table (SPT) entry, the Tivoli Workload Scheduler for z/OS is authorized to submit jobs under any user regardless of what is defined in the resource rules.
For further information, see the RACF Administrator’s Guide.