HCL Workload Automation for Z and RACF®

HCL Workload Automation for Z performs security checking at the controller for GET, PUT, and DEL requests, for all ATPs that use the API. To establish a conversation, your ATP must supply a user ID and password, and optionally a profile that indicates the RACF® user group. The user ID must have the required level of access.

For CREATE requests, HCL Workload Automation for Z does not perform security checking, because the request could be directed to more than one HCL Workload Automation for Z subsystem where security rules differ. You can prevent unauthorized use of CREATE requests through APPC security mechanisms by protecting the LU and the TP name.

You can protect access to HCL Workload Automation for Z resources at these levels:
  1. The HCL Workload Automation for Z subsystem resource
  2. Fixed resources
  3. Subresources.
Access at one level determines the default access to the next level. The default is used if the required resource is not protected at the following level. To use the API, you must have at least read access to the HCL Workload Automation for Z subsystem, which is defined in the APPL class. GET, PUT, and DEL requests require this access to fixed resources:
GET
CP read. SR read is also required to retrieve special resource information.
PUT
CP update is required for CP_OPER_EVENT, CP_OPINFO_EVENT, and CP_WS_EVENT. Additionally, EXEC update is required to request the EXEC command. BKP update is required for BACKUP_EVENT.
DEL
Requires the same access as PUT.

You can further restrict access by specifying subresources, which are described in Subresource Protection for Requests through the API.

Table 1. Subresource Protection for Requests through the API
Fixed resource Subresource Description
CP CP.ADNAME Application name
CP.GROUP Application authority group ID
CP.JOBNAME Operation job name
CP.OWNER Application owner
CP.WSNAME Workstation name
CP.ZWSOPER Workstation name used by an operation
CP.CPGDDEF Group definition ID name
RL RL.ADNAME Occurrence name
RL.OWNER Occurrence owner ID
RL.GROUP Occurrence authority-group ID
RL.WSNAME Current-plan workstation name
SR SR.SRNAME Special resource name
Note: If you restrict access at the subresource level, selection criteria will find only those instances of an object that both match the selection criteria and that the user ID has access to.

If a request is denied for READ access to the HCL Workload Automation for Z subsystem resource or to a fixed resource, you receive CPI-C return code CM_SECURITY_NOT_VALID and the conversation is deallocated. Other security failures result in an error buffer with reason code 512 and the conversation remains allocated.

For a detailed explanation of security considerations, see Customization and Tuning.