Authorizing HCL Workload Automation for Z to issue JES commands

Consider the following resource classes when implementing security for HCL Workload Automation for Z. The examples assume that the RACF® user for the HCL Workload Automation for Z address space is OPCAPPL, which is the name specified in the started-procedure table.

OPERCMDS
If the OPERCMDS class is active and you have specified HOLDJOB(YES) or HOLDJOB(USER) for an event writer, the HCL Workload Automation for Z address space where the event writer is started must be authorized to issue the JES release command. One method is to permit HCL Workload Automation for Z to issue all JES commands. To permit HCL Workload Automation for Z to issue JES commands on a JES2 system, perform the following steps:
  1. Define the resource: 
     RDEFINE OPERCMDS JES2.* UACC(NONE)
  2. Authorize HCL Workload Automation for Z: 
     PERMIT JES2.* CLASS(OPERCMDS) ID(OPCAPPL) ACC(UPDATE)
On a JES3 system, replace JES2.* with JES3.* in the example. Alternatively, you could specify the JES%.* resource name for either a JES2 or JES3 system.
If you use HCL Workload Automation for Z to schedule started tasks, the address space must be authorized to issue the z/OS start command. One way of doing this is to permit HCL Workload Automation for Z to issue all z/OS commands. To do this, perform the following steps:
  1. Define the resource: 
     RDEFINE OPERCMDS ZOS.* UACC(NONE)
  2. Authorize HCL Workload Automation for Z: 
     PERMIT ZOS.* CLASS(OPERCMDS) ID(OPCAPPL) ACC(UPDATE)

Authority to use the z/OS start command is also required if you use Hiperbatch support for HCL Workload Automation for Z operations.

JESSPOOL
If the JESSPOOL class is active and you use the HCL Workload Automation for Z JCC function, you must authorize HCL Workload Automation for Z to access SYSOUT data sets for all jobs in the current plan. One way of doing this is to permit HCL Workload Automation for Z to access all SYSOUT data sets. To permit HCL Workload Automation for Z to access all SYSOUT data sets, perform these steps on each system where the JCC is started:
  1. Define the resource: 
     RDEFINE JESSPOOL *.* UACC(NONE)
  2. Authorize HCL Workload Automation for Z: 
     PERMIT *.* CLASS(JESSPOOL) ID(OPCAPPL) ACC(ALTER)

If the PRIVILEGED or TRUSTED attribute is set in the Started Procedure Table (SPT) entry for HCL Workload Automation for Z, then the address space is authorized to issue any commands and to process spool data sets regardless of what is defined in the resource rules.

For further information, see the RACF® Security Administrator's Quick Reference.