Mapping a Dynamic Workload Console user ID to a RACF user ID
For any operations performed through Dynamic Workload Console, make sure that the Dynamic Workload Console user ID is associated with a corresponding RACF® user ID. The RACF user ID must have the permissions required to access the IBM Z Workload Scheduler resources.
IBM Z Workload Scheduler server uses the RACF user ID to build the RACF environment to enable the user to access IBM Z Workload Scheduler services.
- Using the user-defined RACF class EQQADMIN, which creates a RACF user ID from the Dynamic Workload Console user ID that you use to the Z connector. For details, see Creating the EQQADMIN class to associate a RACF user ID.
- Using the RACF-supplied and predefined resource class TMEADMIN. For details, see Creating the TMEADMIN class to associate a RACF user ID.
- Using a server initialization parameter (SERVOPTS USERMAP) to define a member in the file identified by the EQQPARM DD statement in the server startup job.
- IBM® Z Workload
whether the resource class EQQADMIN is defined and enabled (meaning that you set
AUTOMAPPINGin the class). For details, see Creating the EQQADMIN class to associate a RACF user ID
- If the EQQADMIN class is enabled, it is used to obtain the RACF user ID. If the class is not enabled, the SERVOPTS USERMAP parameter is used to obtain the RACF user ID.
- If the SERVOPTS USERMAP parameter is not set, the resource class TMEADMIN is used to obtain the RACF user ID.
- The name of the host in which the Z connector runs is
- The Z connector user
- The Dynamic Workload Console user ID with
which you connect to the Z connector is
GRAPHUSRconnects to the Z connector, this user ID is authenticated on
ZCONN1is authenticated on the Z engine by providing the following credentials:
USER 'ZCONN1@domain' --> RACF ID (TSOuser)
TSOuseris the TSO user ID with which the IBM Z Workload Scheduler dialogs are run.
GRAPHUSR performs an operation, the Z connector uses these credentials,
therefore it is required that both
associated with a RACF user ID. The RACF user ID associated with the Z connector user does not need to
have particular permissions to the IBM Z Workload Scheduler resources, while the RACF user ID associated with the console user needs the
permissions to perform the required operations.
The following table shows the relationship between the security products and security selections.
|Security Product used||Solution||Prerequisite|
|Security Server (RACF)||TMEADMIN||None (TMEADMIN class provided in z/OS® base).|
|EQQADMIN||Define the RACF class EQQADMIN manually, either:
|Other SAF-compliant||TMEADMIN||Manually define the resource class TMEADMIN, by using the EQQ9RFDE and EQQ9RF01 samples.|
|EQQADMIN||Statically define the RACF class EQQADMIN.|
|All security products||ID mapping table|