IBM Z Workload Scheduler API and RACF

IBM Z Workload Scheduler performs security checking at the Z controller for all transaction programs (TP) that use the API.

To establish a conversation, the outbound TP must supply a user_id and password, and optionally a profile that indicates the RACF® user group. The user_id must have access to the IBM Z Workload Scheduler subsystem resource, which is defined in the APPL class.

A user needs this access to fixed resources for API requests:

GET: CP read. SR read is also required to retrieve special resource information.
PUT: CP update. RL update is required to change the status of operations or issue ready list commands such as MH or NOP. EXEC update is required to use the EXEC command.
DEL: CP update.
CREATE: IBM Z Workload Scheduler does not support security checking for CREATE requests because a request could be directed to more than one IBM Z Workload Scheduler subsystem where security rules differ. You can prevent unauthorized use of CREATE requests through APPC security mechanisms by protecting the LU and the TP name.

If you protect IBM Z Workload Scheduler data by specifying subresources, users must have the appropriate access to subresources. Table 1 shows the subresources that you can specify for each fixed resource.