Security in automatic recovery
The current plan is protected from unauthorized update attempts. The level of protection is controlled by use of the AROPTS and AUTHDEF initialization statements. Refer to Customization and Tuning for details. Certain automatic recovery functions, such as the ADDAPPL and RELSUCC functions, perform updates to the current plan as part of the recovery procedure.
There are two parameters in the AROPTS
statement that you can use
to control the authority checking. The USERREQ keyword specifies whether it is possible
for authority to be granted if the selected USERID is not known or
if no USERID information is available. Using the AUTHUSER keyword you can specify
the source from which HCL Workload Automation for Z should
determine the USERID. You can specify:
- The last user to update the JCL
- The authority group of the failing occurrence
- The owner ID of the failing occurrence
When you specify JCLUSER, the last user who updated the JCL is assumed to be responsible for the JCL including its RECOVER statements. HCL Workload Automation for Z checks that this user has the level of authority required to perform the updates requested by the RECOVER statements.
HCL Workload Automation for Z finds
the user ID of the last user to update the JCL from
one of three sources, depending on where the JCL is obtained:
- When the JCL is obtained from the EQQJBLIB data set, the ID of the last user to update the JCL is retrieved from the ISPF statistics in the directory entry for the JCL member. If there is no user ID recorded in the statistics, no authorization checking can be performed.
- When the JCL is entered from the EQQUX002 exit, the updating user ID is passed as a parameter to HCL Workload Automation for Z so that authorization checking can be performed.
- When the JCL is updated via a panel, the ID of the last user who updated the JCL is stored. This is then used for authorization checking.