AUTHDEF

Purpose

The AUTHDEF statement specifies the HCL Workload Automation for Z resources that are defined to a security product. For a description about how you use HCL Workload Automation for Z security features to protect HCL Workload Automation for Z functions and data, see Implementing security.

You can specify this statement for a controller, a standby controller, or a tracker.

AUTHDEF is defined in the member of the EQQPARM library as specified by the PARM parameter on the JCL EXEC statement.

Format


1  AUTHDEF?  CLASS (
2.1! OPCCLASS
2.1 name of resource class
1 )?  COMMAND1, ...., COMMAND9 (
2.1 list of commands
1 )?  LISTLOGGING (
2.1! ALL
2.1 FIRST
2.1 NONE
1 )

1?  SUBRESOURCES (
2.1+ ,
2.1 AD.ADNAME
2.1 AD.ADGDDEF
2.1 AD.GROUP
2.1 AD.JOBNAME
2.1 AD.NAME
2.1 AD.OWNER
2.1 AD.RESNAME
2.1 AD.SECELEM
2.1 AD.UFVAL
2.1 CL.CALNAME
2.1 CP.ADD
2.1 CP.ADDOPER
2.1 CP.ADNAME
2.1 CP.COMMAND1, ...., CP.COMMAND9
2.1 CP.CPGDDEF
2.1 CP.DELETE
2.1 CP.DELOPER
2.1 CP.GROUP
2.1 CP.JOBNAME
2.1 CP.MODDEP
2.1 CP.MODIFY
2.1 CP.MODOPER
2.1 CP.MODOPSTAT
2.1 CP.NAME
2.1 CP.OWNER
2.1 CP.SECELEM
2.1 CP.UFVAL
2.1 CP.WSNAME
2.1 CP.ZWSOPER
2.1 ET.ADNAME
2.1 ET.ETNAME
2.1 FT.WSNAME
2.1 JL.DSNAME
2.1 JL.MEMBER

1?  SUBRESOURCES (
2.1+ ,
2.1 JS.ADNAME
2.1 JS.GROUP
2.1 JS.JOBNAME
2.1 JS.OWNER
2.1 JS.WSNAME
2.1 JV.OWNER
2.1 JV.TABNAME
2.1 LT.ADNAME
2.1 LT.LTGDDEF
2.1 LT.OWNER
2.1 OI.ADNAME
2.1 PR.PERNAME
2.1 RD.RDNAME
2.1 RG.RGNAME
2.1 RG.OWNER
2.1 RL.ADNAME
2.1 RL.GROUP
2.1 RL.OWNER
2.1 RL.WSNAME
2.1 RL.WSSTAT
2.1 RP.REPTYPE
2.1 SR.SRNAME
2.1 WS.WSNAME
1 )?  TRACE (
2.1! 0
2.1 4
2.1 8
1 )

Parameters

CLASS(name of resource class|OPCCLASS)
Defines the name of the security resource class that protects HCL Workload Automation for Z resources. The value is valid until you specify a different value and restart the HCL Workload Automation for Z address space.
Consider the following checklist when using this parameter:
  • The resource class must be defined in the RACF® class descriptor and routing tables.
  • New definitions in the RACF® class descriptor and routing tables require an IPL.
  • If multiple controller subsystems require separate policies, they require separate classes.
  • IBMOPC is a predefined class that you can use with no need for an IPL if only one class is required.
  • After a RACF® migration, consider redefining any class you defined in a previous version of RACF®.
  • The default class OPCCLASS is not already defined in RACF®. Before using this class, make sure there are the necessary entries in the RACF® class descriptor and routing tables.
COMMAND1, ..., COMMAND9(list of commands)
Defines the list of commands to which you want to authorize a user. If the same command is listed in more than one COMMANDn parameter and different levels of authorization are assigned, the authorization with the higher level of privileges is always applied to the command.
You can specify any combinations of the following occurrence and operation commands:
Table 1. Occurrence commands that you can specify in the Commandn parameter
Command Description
C Complete an occurrence
CG Complete group
DG Delete group
R Rerun
RG Remove from group
W Set waiting
Table 2. Operation commands that you can specify in the COMMANDn parameter
Command Description
ARC Attempt Automatic Recovery
BND Bind Operation
DJ Delete JCL
EX Execute
J Edit JCL
JR JR, Fast Path JR
K Kill (K and KR)
MH Manual Hold
MR Manual Release
NP NOP
RI Recovery Info (PY and PN)
SC SC, Fast Path SC
SJR Simple Job Restart
SR SR, Fast Path SR
UN UN NOP
LISTLOGGING(FIRST|NONE|ALL)
In the resource profile, you define how data is logged for accesses to a resource. If you restrict access to HCL Workload Automation for Z data on the record level by specifying subresources, a request to list HCL Workload Automation for Z data can result in several access violations being recorded for those records that satisfy the filter criteria but to which the user is not permitted access. LISTLOGGING lets you alter the amount of data that is logged for list requests.

Specify FIRST when logging is performed only for the first read attempt to a resource. Logging occurs only for the first entry that has a profile, which specifies that logging should occur. Specify NONE if no logging is performed. Specify ALL if logging is performed as specified in the profile for the resource. ALL is the default value.

SUBRESOURCES(resource,...,resource)
Defines whether HCL Workload Automation for Z checks on the record level if a user is authorized to access information in an HCL Workload Automation for Z VSAM file.

In the list of resources you can specify one or more of the items shown in the syntax diagram. For a description of all the fixed resources and subresources, see Protected fixed resources and subresources.

Whenever a user accesses a record, for example in the AD file, HCL Workload Automation for Z checks if the user is authorized to access the record in the manner intended. To do this, a resource name is generated, and a request is sent through SAF (system authorization facility) to the security system to test the user authority. For example, if you specify AD.ADNAME, the application name is retrieved from the record, and the prefix ADA. is added to create the resource name. The security system is then called to test if this resource exists in the resource class defined by the CLASS keyword and if the user is authorized to access it. The default resource list for the SUBRESOURCES keyword is the empty list. This means that the default is to use already established authority and not to check the user authority to access individual VSAM records.

Note: If you have specified OPCHOST(NO) in the OPCOPTS statement, only the RL.WSNAME, RL.WSSTAT, and SR.SRNAME subresources are relevant. AD.SECELEM and CP.SECELEM are relevant only if you run System Automation V3.1 (with the appropriate maintenance level installed), or later. When set, they protect the whole System Automation information in the AD segment and CP33 record, respectively.
TRACE(4|8|0)
Defines if HCL Workload Automation for Z writes trace information to the message log (EQQMLOG) each time the RACROUTE macro is invoked. Specify 0, which is the default value, if you do not want trace information. Specify 4 if you want partial trace information. Specify 8 if you want full trace information.
 AUTHDEF CLASS(OPCCLASS)                    1
         SUBRESOURCES(AD.ADNAME,WS.WSNAME)  2
In this example of an AUTHDEF statement:
1
The default resource class is used.
2
HCL Workload Automation for Z will verify authorization for application descriptions (by checking the application name) and workstations (by checking the workstation name).