(zos)Secure the job scheduler using roles and groups on the z/OS operating system
We can secure the job scheduler using roles and groups. A user can then act on a job if the user and the job are members of the same group and the user role permits the action.
Start the deployment manager and all node agents.
Enable WebSphere Application Server global security. Configure the user registry bridge for federated repositories. Install a VMM SAF mapping module and add the module to three login modules. Then use RACF to create a group and add a user to the group. Assign a group to a job. Define EJBROLE profiles for the lradmin and lrsubmitter roles.
- Enable global security.
Read the section on enabling security in the WAS documentation and follow the directions. On the Global Security panels, ensure selected the following options.
- Enable administrative security and Enable application security
- Federated repositories for Available realm definitions
- Enable SAF Delegation for Authorization provider
- Configure the user registry bridge for federated repositories.
Read the section on configuring the user registry bridge for federated repositories in the WAS documentation and follow the directions.
- Install the SampleVMMSAFMappingModule module.
Read the section on installing and configuring a custom System Authorization Facility mapping module for the product and follow the directions. You add the module to the WEB_INBOUND, RMI_INBOUND, and DEFAULT login modules.
- Synchronize the changes and restart the cell.
- Create a group and add a user to the group.
Read the information about creating a group and adding a user to the group in the RACF user's guide, Security Server RACF General User's Guide.
- Set the custom property that indicates which policy the batch environment uses.
- Expand System administration > Job scheduler.
- Under Additional Properties, click Custom properties > New.
- In the Name field, type JOB_SECURITY_POLICY, and in the Value field, type GROUP.
- Click OK.
- Assign a group to a job.
A job belongs to a user group and an administrative group. If the JOB_SECURITY_ADMIN_GROUP variable is not defined, the job scheduler automatically assigns the administrative group to each job.
- Configure the value of the administrative group name through the JOB_SECURITY_ADMIN_GROUP job scheduler custom property:
JOB_SECURITY_ADMIN_GROUP=JSYSADMN
The default administrative group name is JSYSADMN.
- Assign the group using one of the following methods.
- Define the group on the group attribute in the xJCL, for example:
<job-name="{jobname}" group="{group-name}" />
- Set the job scheduler default group name using the JOB_SECURITY_DEFAULT_GROUP job scheduler custom property:
JOB_SECURITY_DEFAULT_GROUP=JSYSDFLT
The default group name is JSYSDFLT.
The group attribute in the xJCL takes precedence over the job scheduler custom property. If we do not specify a group name in our xJCL, the job scheduler assigns the default group name.
- Define EJBROLE profiles for the lradmin and lrsubmitter roles.
If we use System Authorization Facility (SAF) EJBROLE profiles on the z/OS operating system to administer role-based security, define EJBROLE profiles for the lradmin and lrsubmitter roles. Permit these roles to the appropriate SAF user IDs for batch job administrators and submitters.
Results
We created a group and assigned a user to the group. You also permitted the user ID to the appropriate role so that the user can manage jobs if the role permits the actions.
What to do next
Manage jobs using group and role security.
- Submit the job.
- Have the user created in a previous step act on the job, such as by viewing the job log.
Related concepts
Special considerations for controlling access to naming roles using SAF authorization Roles and privileges for securing the job scheduler Job scheduler security overview
Related tasks
Enable security Assigning users and groups to roles Configure the user registry bridge for federated repositories Configure a custom System Authorization Facility mapping module for WebSphere Application Server
Related information:
IBM Publications Center