Checking authority to approve or disapprove change packages

To approve or disapprove a change package, a CICS® Configuration Manager user issues an Approve or Disapprove command. The method for restricting whether a user can perform these commands is exactly the same as for any other CICS Configuration Manager API commands: the CICS Configuration Manager server sends a security key to the external security manager (such as RACF®). However, the key for an Approve or Disapprove command deserves special mention, because it includes an approver role and an approval profile:

Figure 1. SAF general resource key: checking whether a user is authorized to approve or disapprove a change package
Read syntax diagramSkip visual syntax diagram
>>-prefix.-+-APP-+-.migration_scheme.approval_profile.approver_role-><
           '-DIS-'                                                    

For descriptions of the fields in this key, see API parameters.

When a CICS Configuration Manager user issues the command to approve or disapprove a change package, they specify the approver role that they are representing (for example, "I am approving this change package as a project manager"). If the CICS Configuration Manager system option for security checking is active, the user must be authorized to represent that approver role for the migration scheme and the approval profile selected by the change package.

This enables you to define very specific rules for which change packages a user can approve or disapprove.

An approver role is not a user ID or a RACF user group. It is simply a part of the key that the CICS Configuration Manager server sends to the external security manager. You define approver roles in approval profiles, described in Approval profiles.

CICS Configuration Manager does not restrict the number of approver roles. However, for each approver role, you (or your security administrator) must define in the security database a general resource profile that matches the resulting "approve" and "disapprove" keys, and authorize the appropriate users for that profile. For details on defining general resource profiles, see z/OS®: Security Server RACF Security Administrator's Guide.


Information Information

Feedback


Timestamp icon Last updated: Friday, 1 November 2013


http://pic.dhe.ibm.com/infocenter/cicsts/v5r1/topic//ccv-security-approve-packages.htm