Roles and privileges for securing the job scheduler
This topic describes the lradmin and lrsubmitter roles and privileges for securing the job scheduler.
We can secure the job scheduler application by enabling global security and application security. Application security secures the job management console. The job scheduler application uses a combination of both declarative and instance-based security approaches to secure jobs and commands, where only users who are assigned with the lradmin or lrsubmitter role have the authority to perform grid operations in a security-enabled environment.
Users assigned with the lradmin role have the authority to perform all job scheduler application actions on all jobs regardless of job ownership, while users who are assigned with the lrsubmitter role can only act on jobs that are owned by the submitters themselves. The X character represents authority in the following table.
Client command lradmin lrsubmitter submit -xJCL=file X X submit -job=job name X X submit -job=job name -add or replace X N/A This is an admin command. cancel -jobid=jobid X X (only jobs owned) purge -jobid=jobid X X (only jobs owned) output -jobid=jobid X X (only jobs owned) restart -jobid=jobid X X (only jobs owned) remove -job=jobname X N/A This is an admin command. suspend -jobid=jobid X X (only jobs owned) resume -jobid=jobid X X (only jobs owned) status (showAll) X N/A This is an admin command. status -jobid=jobid X X (only jobs owned) getBatchJobRC -jobid=jobid X X (only jobs owned) help X X (ZOS) If we use System Authorization Facility (SAF) EJBROLE profiles on the z/OS operating system to administer role-based security, define EJBROLE profiles for lradmin and lrsubmitter roles. Permit these roles to the appropriate SAF user IDs for batch job administrators and submitters.
Secure the job scheduler using roles Running batch jobs under user credentials