Authorizing IBM Z Workload Scheduler as a job submitter

Consider the following resource classes when implementing security for IBM Z Workload Scheduler. The examples assume that the RACF® user for the IBM Z Workload Scheduler address space is OPCAPPL, which is the name specified in the started-procedure table.
JESJOBS
If your installation has activated the JESJOBS class, you must permit IBM Z Workload Scheduler to submit all jobs that are defined in the current plan. One way of doing this is to permit IBM Z Workload Scheduler to submit all jobs. You can do this by:
  1. Defining the submit resource: 
     RDEFINE JESJOBS SUBMIT.*.*.* UACC(NONE) OWNER(OPCAPPL)
  2. Authorizing IBM Z Workload Scheduler: 
     PERMIT SUBMIT.*.*.* CLASS(JESJOBS) ID(OPCAPPL) ACC(READ)
SURROGAT
A surrogate job submission occurs when all the following conditions are met:
  1. USER=xxxx is specified on the job card of the submitted job.
  2. The xxxx is not the same as the submitting (RACF) user.
  3. No password is specified on the job card.
You might use the job-submit exit (EQQUX001) to return a submitting user in the RUSER field. This is required if you want stand-alone cleanup jobs to be submitted with the same authority as the original job, otherwise you can replace it with surrogate job submission.
To permit IBM Z Workload Scheduler to submit this job, perform the following steps:
  1. Activate the surrogate class: 
     SETROPTS CLASSACT(SURROGAT)
  2. Define the submit resource: 
     RDEFINE SURROGAT APLUSER.SUBMIT UACC(NONE) OWNER(APLUSER)
  3. Authorize IBM Z Workload Scheduler: 
     PERMIT APLUSER.SUBMIT CLASS(SURROGAT) ID(OPCAPPL) ACC(READ)

If the PRIVILEGED or TRUSTED attribute is set in the Started Procedure Table (SPT) entry, the IBM Z Workload Scheduler is authorized to submit jobs under any user regardless of what is defined in the resource rules.

For further information, see the RACF Administrator's Guide.