Authorizing HCL Workload Automation for Z as a job submitter

Consider the following resource classes when implementing security for HCL Workload Automation for Z. The examples assume that the RACF® user for the HCL Workload Automation for Z address space is OPCAPPL, which is the name specified in the started-procedure table.
JESJOBS
If your installation has activated the JESJOBS class, you must permit HCL Workload Automation for Z to submit all jobs that are defined in the current plan. One way of doing this is to permit HCL Workload Automation for Z to submit all jobs. You can do this by:
  1. Defining the submit resource: 
     RDEFINE JESJOBS SUBMIT.*.*.* UACC(NONE) OWNER(OPCAPPL)
  2. Authorizing HCL Workload Automation for Z: 
     PERMIT SUBMIT.*.*.* CLASS(JESJOBS) ID(OPCAPPL) ACC(READ)
SURROGAT
A surrogate job submission occurs when all the following conditions are met:
  1. USER=xxxx is specified on the job card of the submitted job.
  2. The xxxx is not the same as the submitting (RACF®) user.
  3. No password is specified on the job card.
You might use the job-submit exit (EQQUX001) to return a submitting user in the RUSER field. This is required if you want stand-alone cleanup jobs to be submitted with the same authority as the original job, otherwise you can replace it with surrogate job submission.
To permit HCL Workload Automation for Z to submit this job, perform the following steps:
  1. Activate the surrogate class: 
     SETROPTS CLASSACT(SURROGAT)
  2. Define the submit resource: 
     RDEFINE SURROGAT APLUSER.SUBMIT UACC(NONE) OWNER(APLUSER)
  3. Authorize HCL Workload Automation for Z: 
     PERMIT APLUSER.SUBMIT CLASS(SURROGAT) ID(OPCAPPL) ACC(READ)

If the PRIVILEGED or TRUSTED attribute is set in the Started Procedure Table (SPT) entry, the HCL Workload Automation for Z is authorized to submit jobs under any user regardless of what is defined in the resource rules.

For further information, see the RACF® Administrator's Guide.