Securing the job scheduler using roles
You can secure the job scheduler by mapping users and groups to specific security roles.
Before you begin
Users who are assigned the lradmin role have the authority to perform all job scheduler application actions on all jobs regardless of job ownership, while users who are assigned with the lrsubmitter role can only act on jobs that are owned by the submitters themselves.
Users in the lrmonitor role can view and download all job logs, but cannot submit or operate on jobs.
If you use System Authorization Facility (SAF) EJBROLE
profiles on the z/OS® operating
system, define EJBROLE profiles for lradmin and lrsubmitter roles.
Permit these roles to the appropriate SAF user IDs. Do not control
permissions through the administration console as described in the
following procedure.
About this task
Procedure
- Click .
- Select administrative security and application security.
- Configure the user account repository by specifying one of the available realm definitions.
- After you have configured WebSphere® Application Server Security, click Apply to save your configuration.
- Expand .
- Select the roles to be configured.
- Click Look up users if one or more users are to be assigned the target role, or click Look up groups if role assignment is at the group level.
- Select the user or group to be assigned to the target role.
- Click OK and save the configuration.
- Restart the cell.
What to do next
<app_server_root>/bin/lrcmd.[bat|sh]
-cmd=<name_of_command> <command_arguments> [-host=<host> -port=<port>]
-userid=<user_ID> -password=<password>
- <host> is the job scheduler server host name. If not specified, the default is localhost.
- <port> is the scheduler server HTTP (HTTPS) port. If not specified, the default is 80.
D:\IBM\WebSphere\AppServer\bin\lrcmd -cmd=submit
-xJCL=D:\IBM\WebSphere\AppServer\samples\Batch\postingSampleXJCL.xml
-port=9445 -host=wasxd01.ibm.com -userid=mylradmin -password=w2g0u1tf