S 4.217 Workload management for z/OS systems

Initiation responsibility: Head of IT

Implementation responsibility: Administrator, Specialists Responsible

The resources in a parallel Sysplex cluster (but also in a stand-alone system) are managed using the WLM (Work Load Manager) component of the z/OS operating system. The following information relating to the secure use of the WLM should be taken into account:

Protection of the couple datasets

The couple datasets needed for the WLM must be protected by corresponding RACF (Resource Access Control Facility) profiles. The same applies to the WLM working files, which are one or more PDS (Partitioned Datasets) files. The utility program used to create the files must be protected using the RACF FACILITY profile MVSADMIN.WLM.POLICY to protect.

Protection of the modify command

It is possible to change WLM options dynamically using a modify command. This command should only be available to authorised employees such as correspondingly trained operators or system programmers.

Protection of the reset command

The reset command must be protected so that only authorised employees can change the WLM rules for jobs currently executing.

Protection of the WLM application

The WLM definitions are managed in an ISPF-based (Interactive System Productivity Facility) WLM dialogue. Access to the WLM application should be protected using the RACF Facility profile MVSADMIN.WLM.POLICY and should only be granted to authorised employees (service and capacity management).

Matching authorisation

Defined WLM specifications (e.g. the Service Class) can be changed using MVS commands as well as using the SDSF (System Display and Search Facility) interface. It must be ensured that the authorisations required to change the WLM via MVS commands and via the SDSF are the same.

Review questions:

© Federal Office for Information Security. All rights reserved.