Security keys for resource definitions

Here is the format of the security keys that the CICS® Configuration Manager server creates to check a user's authority to manipulate resource definitions:

Table 1. Security keys that CICS Configuration Manager creates to check whether a user is authorized to manipulate resource definitions
Might create ResGroup? API command Security key format  2  Access authority
Yes  1  Copy For the source resource definition:  3 
Read syntax diagramSkip visual syntax diagram
>>-prefix.source_CICS_config.source_group.type.name------------><

READ
For the target resource definition:
Read syntax diagramSkip visual syntax diagram
>>-prefix.target_CICS_config.target_group.type.target_name-----><

ALTER
Rename  4  For the source resource definition:
Read syntax diagramSkip visual syntax diagram
>>-prefix.target_CICS_config.source_group.type.source_name-----><

For the target resource definition:
Read syntax diagramSkip visual syntax diagram
>>-prefix.target_CICS_config.target_group.type.target_name-----><

Create
Read syntax diagramSkip visual syntax diagram
>>-prefix.target_CICS_config.group.type.name-------------------><

 6 
Import  5 
 

Add
Delete
Recover
Remove

Inquire READ

Alter
Update

UPDATE
 1 
If the target resource definition key specifies a ResGroup that does not exist, then the API command the attempts to create the ResGroup. This involves an additional security key, as if a Create API command had been requested for the ResGroup. Note that this additional security checking does not involve API command security checking for a Create API command; just resource definition security checking for the ResGroup that needs to be created (as per the entry for Create in this table).
 2 
If the resource type is a group/ResGroup, then specify a "-" (hyphen) character as the group parameter.
 3 
If the source CICS configuration refers to an export file, then no security check is performed for the source resource definition.
 4 
You can think of a Rename API command as consisting of two operations: delete the source resource definition, and then create the target resource definition. Both operations require ALTER access authority.
A Rename API command for a group/ResGroup involves resource definition security checks (requiring ALTER access authority) for all of the following:
  • Each source resource definition (in the original group/ResGroup)
  • Each target resource definition (in the renamed group/ResGroup)
  • When renaming a ResGroup (not a group): the target ResGroup
 5 
The CICS configuration parameter for Import refers to the target CICS configuration where the resource definition is to be imported (copied) to, not the source CICS configuration (that refers to the export file) where the resource definition is to be imported from.
 6 
If the resource type is not associated with a group/ResGroup, then specify a "-" (hyphen) character as the group parameter.

If the resource type does not have a unique name, then specify a "-" (hyphen) character as the name parameter.

For example, specify group as a hyphen and name as a hyphen for the CICSPlex® SM full-function BAS APPLDEF, RASINDSC, and SYSLINK resource types.

For descriptions of the fields in these keys, see API parameters.

For each resource definition, the Copy and Rename API commands create two security keys, and make two calls to the external security manager: one for the source resource definition, and another for the target resource definition.

For the Rename API command, the parameter for the CICS configuration is labelled "target" in both security keys because you can only rename a resource definition within the same CICS configuration.

To simplify group resource profile definitions, the resource definition name is the last qualifier in the security key: some resource types may contain a period (.) as part of the resource name.

Start of change As a starting point, consider temporarily defining a general resource profile such as this: End of change

Start of change
CCVRES.**
End of change

Start of change (where CCVRES is the prefix that you have chosen for the security keys) End of change

Start of change with a universal access authority (UACC) of ALTER. This enables you to activate security checking in CICS Configuration Manager and then continue to work as before, while you define more specific general resource profiles. End of change

Start of change For examples of general resource profiles, and the JCL to define those profiles in a RACF environment, see member CCVXSAF3 of the sample library SCCVSAMP. End of change

Start of change For more examples of general resource profiles, see Example security scenario. End of change


Information Information

Feedback


Timestamp icon Last updated: Friday, 1 November 2013


http://pic.dhe.ibm.com/infocenter/cicsts/v5r1/topic//ccv-security-key-definitions.htm