Authorizing IBM Z Workload Scheduler to issue JES commands

Consider the following resource classes when implementing security for IBM Z Workload Scheduler. The examples assume that the RACF user for the IBM Z Workload Scheduler address space is OPCAPPL, which is the name specified in the started-procedure table.

OPERCMDS
If the OPERCMDS class is active and you have specified HOLDJOB(YES) or HOLDJOB(USER) for an event writer, the IBM Z Workload Scheduler address space where the event writer is started must be authorized to issue the JES release command. One method is to permit IBM Z Workload Scheduler to issue all JES commands.
To permit IBM Z Workload Scheduler to issue JES commands on a JES2 system, perform the following steps:
  1. Define the resource: 
     RDEFINE OPERCMDS JES2.* UACC(NONE)
  2. Authorize IBM Z Workload Scheduler: 
     PERMIT JES2.* CLASS(OPERCMDS) ID(OPCAPPL) ACC(UPDATE)
On a JES3 system, replace JES2.* with JES3.* in the example. Alternatively, you could specify the JES%.* resource name for either a JES2 or JES3 system.
If you use IBM Z Workload Scheduler to schedule started tasks, the address space must be authorized to issue the z/OS start command. One way of doing this is to permit IBM Z Workload Scheduler to issue all z/OS commands. To do this, perform the following steps:
  1. Define the resource: 
     RDEFINE OPERCMDS ZOS.* UACC(NONE)
  2. Authorize IBM Z Workload Scheduler: 
     PERMIT ZOS.* CLASS(OPERCMDS) ID(OPCAPPL) ACC(UPDATE)

Authority to use the z/OS start command is also required if you use Hiperbatch™ support for IBM Z Workload Scheduler operations.

JESSPOOL
If the JESSPOOL class is active and you use the IBM Z Workload Scheduler JCC function, you must authorize IBM Z Workload Scheduler to access SYSOUT data sets for all jobs in the current plan. Also, the output collector and data store require the ALTER access for the JESSPOOL class. One way of doing this is to permit IBM Z Workload Scheduler to access all SYSOUT data sets. To permit IBM Z Workload Scheduler, output collector, and data store to access all SYSOUT data sets.
To access all SYSOUT data sets, perform the following steps on each system where the JCC, output collector, and data store are started:
  1. Define the resource: 
     RDEFINE JESSPOOL *.* UACC(NONE)
  2. Authorize IBM Z Workload Scheduler: 
     PERMIT *.* CLASS(JESSPOOL) ID(OPCAPPL) ACC(ALTER)

If the PRIVILEGED or TRUSTED attribute is set in the Started Procedure Table (SPT) entry for IBM Z Workload Scheduler, the address space is authorized to issue any commands and to process spool data sets regardless of what is defined in the resource rules.

For further information, see the RACF® Security Administrator's Quick Reference.