Roles and privileges for securing the job scheduler

This topic describes the lradmin and lrsubmitter roles and privileges for securing the job scheduler.

Authority for different roles

You can secure the job scheduler application by enabling global security and application security. Application security secures the job management console. The job scheduler application uses a combination of both declarative and instance-based security approaches to secure jobs and commands, where only users who are assigned with the lradmin or lrsubmitter role have the authority to perform grid operations in a security-enabled environment.

As illustrated in the following table, users who are assigned with the lradmin role have the authority to perform all job scheduler application actions on all jobs regardless of job ownership, while users who are assigned with the lrsubmitter role can only act on jobs that are owned by the submitters themselves. The X character represents authority in the following table.

Table 1. Authoritative roles. The table lists client commands and indicates with an X character whether the lradmin role or the lrsubmitter role have authority for those commands.
Client commands lradmin role lrsubmitter role
submit -xJCL=<file> X X
submit -job=<job name> X X
submit -job=<job name> -add or replace X N/A This is an admin command.
cancel -jobid=<jobid> X X (only jobs owned)
purge -jobid=<jobid> X X (only jobs owned)
output -jobid=<jobid> X X (only jobs owned)
restart -jobid=<jobid> X X (only jobs owned)
remove -job=<jobname> X N/A This is an admin command.
suspend -jobid=<jobid> X X (only jobs owned)
resume -jobid=<jobid> X X (only jobs owned)
status (showAll) X N/A This is an admin command.
status -jobid=<jobid> X X (only jobs owned)
getBatchJobRC -jobid=<jobid> X X (only jobs owned)
help X X

[z/OS]If you use System Authorization Facility (SAF) EJBROLE profiles on the z/OS® operating system to administer role-based security, define EJBROLE profiles for lradmin and lrsubmitter roles. Permit these roles to the appropriate SAF user IDs for batch job administrators and submitters.


指出主題類型的圖示 概念主題



時間戳記圖示 前次更新: July 9, 2016 11:10
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=cgrid_bgroles
檔名:cgrid_bgroles.html