HCL Workload Automation, Version 9.4

Update RACF for the agent for z/OS started task

This section describes how to define the agent for z/OS to your security system.

If your installation protects data and resources from unauthorized use, you must define the agent for z/OS to your security system. This section assumes that the Resource Access Control Facility (RACF®) is installed and active on your z/OS® system. It describes the activities you must perform to define and enable the security environment for the agent for z/OS.

RACF controls the interaction between users and resources. You define resources and the level of access allowed by users to these resources in RACF profiles. A user is an alphanumeric user ID that RACF associates with the user.

The agent for z/OS needs access to z/OS resources for the work it schedules. The user ID associated with the agent can be obtained from:
  • The agent for z/OS address space that accesses data sets used by the work it schedules, and that submits work and issues JES commands.
  • The USER parameter on the JOB card of a batch job to be submitted.

Controlling the user ID of the address space

Since the agent for z/OS runs as a started task, you must associate the cataloged procedure name with a suitably authorized RACF user. The user ID must be defined in the STARTED resource class.

Controlling the user ID of submitted jobs

The agent for z/OS can submit to JES two types of jobs:
  • Normal production jobs, which are submitted from a HCL Workload Automation plan.
  • Ad-hoc jobs, which you can submit directly using the Dynamic Workload Console or conman.
The agent submits production and ad-hoc jobs to the internal reader when all prerequisites are fulfilled. You can determine the authority given to a job in the following ways:
  • You can submit work with the authority of the agent for z/OS address space. The job is given the same authority as the agent for z/OS.
  • You can include a password in the JCL to propagate the authority of a particular user.

Protecting data sets

For basic security of data, you should restrict access to the following product data sets:
  • The internal reader (EELBRDS)
  • The diagnostic data sets (EELDUMP and SYSDUMP)
  • The event data sets (EELEVDS and EELHTDS)
  • The service data set (EELHTREF)
  • The message library (EELMLIB)
  • The message log (EELMLOG)
  • The parameter library (EELPARM)
  • The data sets monitoring list (EELJCLIB)

Moreover, software support people must be able to debug problems and reorganize files. You might give them alter access to all the product data sets.