User authentication and authorization to browse and manipulate individual host resources is controlled by an existing external security manager (ESM), such as RACF®.
CICS® Transaction Server for z/OS® Installation Guide provides more information about the security accesses required by the various user IDs.
If the Web User Interface server is running with the CICS system initialization parameter SEC=YES, you can control who can access the Web User Interface, what resources they can see, what actions they can perform, and the use of the View Editor. If you have already set up CICSPlex® SM security for use with the TSO EUI and CICSPlex SM API, users have the same level of access via the Web User Interface as through the EUI and API.
When you attempt to connect to a Web User Interface server, the CICSPlex SM Web User Interface Signon Panel is displayed. The user ID and password entered in this panel are passed to the Web User Interface server, in plain text over the TCP/IP connection unless you are using SSL support, and then verified by the external security manager. If the external security manager supports mixed case passwords, and this is active, an icon will appear next to the password field when you sign on.
All users who are successfully signed on to the Web User Interface have access to all of the customizable view and menu help pages, if the customizable view and menu help is served by the Web User Interface.
To control who is allowed to sign onto the Web User Interface server, you can protect the Web User Interface CICS applid via RACF APPL checking. See CICS RACF Security Guide for details.
Access to managed resources uses standard CICSPlex SM security using profiles in the CPSMOBJ class (see the CICS RACF Security Guide). For example, to see a CICS region view, the Web User Interface user needs READ authority via the CPSMOBJ class profile OPERATE.REGION.context.scope.
Access to CICS resources and actions upon resources within a view uses CICSPlex SM's simulated CICS security checking (see the CICS RACF Security Guide) which uses the normal CICS RACF resource and command security profiles. For example, to issue the shutdown action against a CICS region, the Web User Interface user would need UPDATE authority to the SHUTDOWN command in the CCICSCMD class, if command security is active in the target CICS region.
You can use your external security manager to control user access to views, menus, help information and the View Editor. The navigation frame is exempt from security checks. In order to control user access you need to create the appropriate profiles in the FACILITY class. The following ESM FACILITY profiles are available:
where wui_server_applid is the CICS APPLID of the server.
Users can be given read or update access to views and menus:
If the ESM that you are using, neither grants nor refuses access to a profile (for example, if no RACF profile is defined), all users who are successfully signed on to the Web User Interface have access to the resources. You can make not authorized the default by setting up a generic profile.
When selecting a view set or menu to edit or delete within the view editor, only items for which you have update access are listed. However, when selecting a view-set to copy, all items for which you have read access are shown. This allows you to copy any object for which you have read only access to a private copy in your updateable name space.
When browsing for views that are accessible, no security exceptions are logged. Users are presented with a list that has been filtered to remove the views that are not accessible. However, when a user attempts an unauthorized action; for example creating a view in a denied name space, the EYULOG security exception message EYUVS1100E is issued.
The following examples use the RACF TSO command syntax and assume that the default CICS RACF classes and no security prefixing is in use. This is not the only way that suitable profiles can be defined. These examples can be adapted to suit the installations requirements and standards.
In the examples, lower case strings should be replaced with the appropriate use ID or resource.
Create Web User Interface user groups:
ADDGROUP (WUISERV,WUIADM,WUIUSER,WUIEDIT)
Define profiles to protect Web User Interface transactions:
RDEFINE GCICSTRN WUISYS UACC(NONE) ADDMEM(COVP,COVU,COVE)
RDEFINE GCICSTRN WUIADMIN UACC(NONE) ADDMEM(COVG,COVC)
RDEFINE TCICSTRN COVA UACC(NONE)
Authorize user groups to appropriate profiles:
PERMIT WUISYS CLASS(GCICSTRN) ID(WUISERV) ACCESS(READ)
PERMIT WUIADMIN CLASS(GCICSTRN) ID(WUIADM) ACCESS(READ)
PERMIT COVA CLASS(TCICSTRN) ID(WUIUSER,WUIEDIT) ACCESS(READ)
Refresh transaction security profiles:
SETROPTS RACLIST(TCICSTRN) REFRESH
Define View Editor profile and give user group appropriate access:
RDEFINE FACILITY EYUWUI.wui_server_applid.EDITOR UACC(NONE)
PERMIT EYUWUI.wui_server_applid.EDITOR CLASS(FACILITY) ID(WUIEDIT) ACCESS(UPDATE)
Define view set profile and give user group appropriate access:
RDEFINE FACILITY EYUWUI.wui_server_applid.VIEW.viewsetname UACC(NONE)
PERMIT EYUWUI.wui_server_applid.VIEW.viewsetname CLASS(FACILITY) ID(WUIUSER)
ACCESS(READ)
Connect users to appropriate Web User Interface groups:
CONNECT wui_server_dfltuser GROUP(WUISERV)
CONNECT (wui_server_pltpiusr,wui_administrator) GROUP(WUIADM)
CONNECT (wui_administrator,wui_view_designer) GROUP(WUIEDIT)
CONNECT (wui_operator1,wui_operator2...) GROUP(WUIUSER)
If CICS surrogate user security is active in the Web User Interface region, definitions similar to the following are required:
DEFINE SURROGAT wui_administrator.DFHSTART UACC(NONE)
PERMIT wui_administrator.DFHSTART CLASS(SURROGAT) ID(WUIADM) ACCESS(READ)
DEFINE SURROGAT wui_view_designer.DFHSTART UACC(NONE)
PERMIT wui_view_designer.DFHSTART CLASS(SURROGAT) ID(WUIADM) ACCESS(READ)
DEFINE SURROGAT wui_operator1.DFHSTART UACC(NONE)
PERMIT wui_operator1.DFHSTART CLASS(SURROGAT) ID(WUIADM) ACCESS(READ)
DEFINE SURROGAT wui_operator2.DFHSTART UACC(NONE)
PERMIT wui_operator2.DFHSTART CLASS(SURROGAT) ID(WUIADM) ACCESS(READ)
SETROPTS RACLIST(SURROGAT) REFRESH
If the Web User Interface server is running with the CICS system initialization parameter SEC=NO, users of the Web User Interface must provide a user ID which is used to identify 'sessions' in the COVC transaction, but are not required to provide a password. The user ID does not need to be defined to the ESM. Access checking of access to views, and CICS resources are based on the DFLTUSER for the Web User Interface server CICS region. All Web User Interface users have access to the View Editor and all menus, view sets and help members.
[[ Contents Previous Page | Next Page Index ]]