Roles and privileges for securing the job scheduler
This topic describes the lradmin and lrsubmitter roles and privileges for securing the job scheduler.
Authority for different roles
We can secure the job scheduler application by enabling global security and application security. Application security secures the job management console. The job scheduler application uses a combination of both declarative and instance-based security approaches to secure jobs and commands, where only users who are assigned with the lradmin or lrsubmitter role have the authority to perform grid operations in a security-enabled environment.
As illustrated in the following table, users who are assigned with the lradmin role have the authority to perform all job scheduler application actions on all jobs regardless of job ownership, while users who are assigned with the lrsubmitter role can only act on jobs that are owned by the submitters themselves. The X character represents authority in the following table.
whether the lradmin role or the lrsubmitter role have authority for
Client commands lradmin role lrsubmitter role submit -xJCL=<file> X X submit -job=<job name> X X submit -job=<job name> -add or replace X N/A This is an admin command. cancel -jobid=<jobid> X X (only jobs owned) purge -jobid=<jobid> X X (only jobs owned) output -jobid=<jobid> X X (only jobs owned) restart -jobid=<jobid> X X (only jobs owned) remove -job=<jobname> X N/A This is an admin command. suspend -jobid=<jobid> X X (only jobs owned) resume -jobid=<jobid> X X (only jobs owned) status (showAll) X N/A This is an admin command. status -jobid=<jobid> X X (only jobs owned) getBatchJobRC -jobid=<jobid> X X (only jobs owned) help X X (zos) If we use System Authorization Facility (SAF) EJBROLE profiles on the z/OS operating system to administer role-based security, define EJBROLE profiles for lradmin and lrsubmitter roles. Permit these roles to the appropriate SAF user IDs for batch job administrators and submitters.
Related tasks
Secure the job scheduler using roles Running batch jobs under user credentials