Tivoli Workload Automation, Version 8.6

Functions and data that you can protect

You can use fixed resources and subresources to protect Tivoli Workload Scheduler for z/OS functions and data. Fixed resources are always checked as part of the Tivoli Workload Scheduler for z/OS dialog. Subresources are checked only if they are defined in the AUTHDEF statement.

Table 1 describes all fixed resources and subresources. Use the table to determine which resources you should define to RACF®. You use Table 1 to determine what access is required to the defined resources for each user.

Note: The subresource name and the RACF resource name are not the same. You specify the subresource name shown in column 2 on the SUBRESOURCES keyword of AUTHDEF to start subresource verification. The corresponding RACF resource name shown in column 3 must be defined in the general resource class used by Tivoli Workload Scheduler for z/OS, which is specified on the CLASS keyword of AUTHDEF.
Table 1. Protected fixed resources and subresources
Fixed resource Subresource RACF resource name Description

AD

 
AD.ADNAME
AD.ADGDDEF
AD.NAME
AD.OWNER
AD.GROUP
AD.JOBNAME
AD.SECELEM
AD.UFVAL

AD
ADA.name
ADD.name
ADN.name
ADO.name
ADG.name
ADJ.name
ADM.NAME
ADU.field_name.field_value

Application-description file
Application name
Group-definition-ID name
Operation extended name in application-description
Owner ID
Authority group ID
Operation job name in application description
Security element name
User field name and value.
ADEP   ADEP Selecting all dependencies in the QCP dialog

CL

 
CL.CALNAME

CL
CLC.name

Calendar data
Calendar name

CP

 
CP.ADNAME
CP.CPGDDEF
CP.NAME
CP.OWNER
CP.GROUP
CP.JOBNAME
CP.WSNAME
CP.ZWSOPER
CP.SECELEM
CP.UFVAL

CP
CPA.name
CPD.name
CPN.name
CPO.name
CPG.name
CPJ.name
CPW.name
CPZ.name
CPM name
CPU.field_name.field_value

Current-plan file
Occurrence name
Occurrence group-definition-ID
Operation extended name
Occurrence owner ID
Occurrence authority-group ID
Occurrence operation  name
Current plan workstation name
Workstation name used by an operation
Security element name
Operation user field name and value.

ETT

 
ET.ETNAME
ET.ADNAME

ETT
ETE.name
ETA.name

ETT dialog
Name of triggering event
Name of application to be added
HIST   HIST Retrieving history data with HIST command

JL

 
JLD.NAME
JLM.NAME

JL
JLD.name
JLM.name

Job library data sets
Job library dataset name
JCL member name

JS

 
JS.ADNAME
JS.OWNER
JS.GROUP
JS.JOBNAME
JS.WSNAME

JS
JSA.name
JSO.name
JSG.name
JSJ.name
JSW.name

JCL and job-library file
Occurrence name
Occurrence owner ID
Occurrence authority group ID
Occurrence operation name
Current plan workstation name

JV

 
JV.OWNER
JV.TABNAME

JV
JVO.name
JVT.name

JCL variable-definition file
Owner ID of  JCL-variable-definition table
Name of JCL-variable table

LT

 
LT.ADNAME
LT.LTGDDEF
LT.OWNER

LT
LTA.name
LTD.name
LTO.name

Long-term-plan file
Occurrence name
Occurrence group-definition ID
Occurrence owner ID

OI

 
OI.ADNAME

OI
OIA.name

Operator-instruction file
Application name

PR

 
PR.PERNAME

PR
PRP.name

Period data
Period name

RL

 
RL.ADNAME
RL.OWNER
RL.GROUP
RL.WSNAME
RL.WSSTAT

RL
RLA.name
RLO.name
RLG.name
RLW.name
RLX.name

Ready list data
Occurrence name
Occurrence owner ID
Occurrence authority-group ID
Current-plan workstation  name
Current-plan workstation changed by WSSTAT

RD

 
RD.RDNAME

RD
RDR.name

Special resources file
Special resource name

RP

 
RP.REPTYPE

RP
RPT.reptype

Dynamic Workload Console reports
Report type depending on the report you request:

RUNHIST
For job run history reports.
RUNSTATS
For job run statistics.
WWR
For workstation workload runtimes reports.
WWS
For workstation workload summary.
SQL
For reports obtained by customized SQL queries.

SR

 
SR.SRNAME

SR
SRS.name

Special resources in the current plan
Special resource name

WS

 
WS.WSNAME

WS
WSW.name

Workstation data
Workstation name in workstation database

ARC

ARC

Activate/deactivate automatic recovery

BKP

BKP

Request backup of a resource data set

BUL

BUL

Initiate bulk discovery for the monitoring agent

CMAC

CMAC

Dataset and Catalog Cleanup used by the Restart and
Cleanup function.

CONT

CONT

Refresh RACF subresources

ETAC

ETAC

Activate/deactivate event-triggered tracking

EXEC

EXEC

EX (execute) row command

JSUB

JSUB

Activate/deactivate job submit

REFR

REFR

Refresh LTP and delete CP

WSCL

WSCL

All-workstations-closed data
As shown in Table 1, these items exist only as fixed resources:
Name
Protects
ADEP
The use of ALL DEP inquiry from EQQSOPGD panel in the Query Current Plan (QCP) dialog. To use this function, you need read or update authority to the ADEP fixed resource.
ARC
The ACTIVATE/DEACTIVATE automatic recovery function in the Tivoli Workload Scheduler for z/OS Service Functions dialog. To use this function, you need update authority to the ARC fixed resource.
BKP
The use of the BACKUP command. BACKUP lets you request a backup of the current plan data set or JCL repository data set. To use this command, you need to update access to the BKP fixed resource on the system where the command is issued.
BUL
The use of the BULKDISC command. BULKDISC allows you to initiate a bulk discovery. To use this command you need update access to the BUL fixed resource on the system where the command is issued.
CMAC
The Restart and Cleanup function in the Tivoli® Workload Scheduler for z/OS® panels. To use Step Restart, Job Restart and Start Cleanup update authority is needed to the CMAC fixed resource. No authority is required to CMAC for use of Display Cleanup.
CONT
The RACF RESOURCES function in the Tivoli Workload Scheduler for z/OS Service Functions dialog. This lets you activate subresources that are defined after Tivoli Workload Scheduler for z/OS started. To use this function, you need update authority to the CONT fixed resource.
ETAC
The ACTIVATE/DEACTIVATE ETT function in the Service Functions dialog. To use this function, you need update authority to the ETAC fixed resource.
EXEC
The use of the EX (execute) row command. You can issue this command from the Modify Current® Plan dialog and workstation ready lists, if you have update access to the EXEC fixed resource.
JSUB
The ACTIVATE/DEACTIVATE job submission function in the Tivoli Workload Scheduler for z/OS Service Functions dialog or TSO JSUACT command. To use this function, you need update authority to the JSUB fixed resource.
REFR
The REFRESH function (Delete current plan and reset long-term plan) in the Tivoli Workload Scheduler for z/OS Service Functions dialog. To use this function, you need update authority to the REFR fixed resource.
WSCL
The All Workstations Closed function of the Workstation Description dialog. To browse the list of time intervals when all workstations are closed, you need read authority to the WSCL fixed resource. To update the list, you need update authority to the WSCL fixed resource.
Note: Ensure that you restrict access to these fixed resources to users who require them. REFR is particularly important because this function deletes the current plan.
There are some things to consider when working with fixed resources and subresources:
  • The AD.JOBNAME and CP.JOBNAME subresources protect only the JOBNAME field within an application or occurrence. You use these subresources to limit the job names to which the user has access during job setup and similar tasks. If you do not use these subresources, a dialog user might obtain greater authority by using Tivoli Workload Scheduler for z/OS to perform certain functions. For example, a user could submit an unauthorized job by adding an application to the current plan, changing the job name, and then letting Tivoli Workload Scheduler for z/OS submit the job.

    For these subresources, only the ACCESS(UPDATE) level is meaningful.

  • The subresources AD.GROUP, CP.GROUP, JS.GROUP, and RL.GROUP are used to protect access to Tivoli Workload Scheduler for z/OS data based on the authority group ID and not application description groups.
  • The subresource data is passed to SAF without modifications. Your security product might have restrictions on which characters it allows. For example, RACF resource names cannot contain asterisks, embedded blanks, or DBCS characters.
  • The EQQ9RFDE member in the sample library updates the class-descriptor tables with a Tivoli Workload Scheduler for z/OS-specific class called OPCCLASS.
  • Use the CP.ZWSOPER subresource if you want to protect an operation based on the name of the workstation where the operation will be started. You must have update access to this subresource if you want to modify an operation. If you want to specify dependencies between operations, you must have update authority to both the predecessor and successor operations.

    You can use the CP.ZWSOPER subresource to protect against updates to an operation in an occurrence or the unauthorized deletion or addition of an operation in an occurrence. This subresource is not used to protect the addition of an occurrence to the current plan or to protect an occurrence in the current plan that a user attempts to delete, set to waiting, or set to complete. When an occurrence is rerun, access authority is checked only for the particular operation that the rerun is started from.

    The subresource CP.ZWSOPER is unlike the subresource CP.WSNAME, which protects workstations but does not protect against updates to operations.

  • When no current plan occurrence information is available, subresource protection for job setup and JCL editing tasks is based on information from the application description. For example, if you are adding an occurrence to the CP and you request JCL edit for an operation, subresource requests using owner ID or authority group ID are issued using the owner ID or authority group ID defined in the AD, because the CP occurrence does not yet exist. Similarly, when editing JCL in the LTP dialog, subresources are based on CP occurrence information, if the occurrence is in the CP. If the occurrence is not in the CP, subresource requests are issued using information from the AD.
  • The use the HIST (history) command from the Tivoli Workload Scheduler for z/OS panels, you need at least READ access to the HIST fixed resource.
  • Security checks are not performed on user fields for which there is no value specified.
  • AD.UFVAL and CP.UFVAL subresources:
    • The AD.UFVAL and CP.UFVAL subresources are used to protect user field names and values. If you specify these subresources in an AUTHDEF statement using the predefined class, IBMOPC, note that the IBMOPC profile supports user fields not longer than 54 characters. The 54 characters is the sum of the characters that comprise the following string:
      • For the AD.UFVAL subresource: ADU.<field_name>.<field_value>
      • For the CP.UFVAL subresource: CPU.<field_name>.<field_value>
      Therefore, if you require protection for user fields longer than 54 characters, then you must manually create a new RACF profile, or use an existing profile you have defined, that supports user fields with values longer than 54 characters. For example, the profile could specify MAXLNTH=80 to ensure longer user field names and values are supported.
    • The characters permitted in the ADU.<field_name>.<field_value> and CPU.<field_name>.<field_value> strings depend on the security product you use through the system authorization facility (SAF). The security product can be RACF or any other product that works with SAF. No checks are performed to validate the characters used, so you must be careful not to use characters than can cause unexpected results. For example, avoid using characters that are considered wildcard characters for the security product you are using. In the case of RACF, this means avoid using the following wildcard characters: [*, %].
Parent topic: Implementing security