HCL Workload Automation for Z and RACF®
HCL Workload Automation for Z performs security checking at the controller for GET, PUT, and DEL requests, for all ATPs that use the API. To establish a conversation, your ATP must supply a user ID and password, and optionally a profile that indicates the RACF® user group. The user ID must have the required level of access.
For CREATE requests, HCL Workload Automation for Z does not perform security checking, because the request could be directed to more than one HCL Workload Automation for Z subsystem where security rules differ. You can prevent unauthorized use of CREATE requests through APPC security mechanisms by protecting the LU and the TP name.
- The HCL Workload Automation for Z subsystem resource
- Fixed resources
- Subresources.
- GET
- CP read. SR read is also required to retrieve special resource information.
- PUT
- CP update is required for CP_OPER_EVENT, CP_OPINFO_EVENT, and CP_WS_EVENT. Additionally, EXEC update is required to request the EXEC command. BKP update is required for BACKUP_EVENT.
- DEL
- Requires the same access as PUT.
You can further restrict access by specifying subresources, which are described in Subresource Protection for Requests through the API.
Fixed resource | Subresource | Description |
---|---|---|
CP | CP.ADNAME | Application name |
CP.GROUP | Application authority group ID | |
CP.JOBNAME | Operation job name | |
CP.OWNER | Application owner | |
CP.WSNAME | Workstation name | |
CP.ZWSOPER | Workstation name used by an operation | |
CP.CPGDDEF | Group definition ID name | |
RL | RL.ADNAME | Occurrence name |
RL.OWNER | Occurrence owner ID | |
RL.GROUP | Occurrence authority-group ID | |
RL.WSNAME | Current-plan workstation name | |
SR | SR.SRNAME | Special resource name |
If a request is denied for READ access to the HCL Workload Automation for Z subsystem resource or to a fixed resource, you receive CPI-C return code CM_SECURITY_NOT_VALID and the conversation is deallocated. Other security failures result in an error buffer with reason code 512 and the conversation remains allocated.
For a detailed explanation of security considerations, see Customization and Tuning.