When you have defined a region userid for your CICS® job (or started task), permit that userid to access the CICS system data sets with the necessary authorization.
When authorizing access to CICS system data sets, choose appropriately from the following levels of access: READ, UPDATE, and CONTROL. Also define data set profiles with UACC(NONE) to ensure that only CICS region userids can access those data sets. For information about the CICS region userid, see Specifying the CICS region userid.
For CICS load libraries, only permit READ access.
Permit UPDATE access for all the remaining CICS data sets.
Therefore, for CICS system data sets you need at least three generic profiles to restrict access to the appropriate level. See Table 1.
Required access level | Type of CICS data sets protected |
---|---|
READ | Load libraries |
UPDATE | Auxiliary trace; transaction dump; system definition; global catalog; local catalog; and restart |
CONTROL | Temporary storage; intrapartition transient data; XRF message; and XRF control |
If you use generic naming of the data set profiles, you can considerably reduce the number of profiles you need for your CICS regions. This policy is illustrated in the examples shown in Figure 1 for a number of sample CICS regions.
//RACFDEF JOB 'accounting information',
// CLASS=A,MSGCLASS=A,MSGLEVEL=(1,1)
//DEFINE EXEC PGM=IKJEFT01
//SYSPRINT DD SYSOUT=A
//SYSTSPRT DD SYSOUT=A
//SYSUDUMP DD SYSOUT=A
//SYSTSIN DD *
ADDSD 'CICSTS31.CICS.SDFHLOAD' NOTIFY(cics_sys_admin_id) UACC(NONE)
PERMIT 'CICSTS31.CICS.SDFHLOAD' ID(cics_id1,...,cics_group1,..,cics_groupn)
ACCESS(READ)
ADDSD 'CICSTS31.CICS.SDFHAUTH' NOTIFY(cics_sys_admin_id) UACC(NONE)
PERMIT 'CICSTS31.CICS.SDFHAUTH' ID(cics_id1,...,cics_group1,..,cics_groupn)
ACCESS(READ)
ADDSD 'CICSTS31.CICS.applid.**' NOTIFY(cics_sys_admin_id) UACC(NONE)
PERMIT 'CICSTS31.CICS.applid.**' ID(applid_userid) ACCESS(UPDATE)
ADDSD 'CICSTS31.CICS.applid.DFHXR*' NOTIFY(cics_sys_admin_id) UACC(NONE)
PERMIT 'CICSTS31.CICS.applid.DFHXR*' ID(applid_userid) ACCESS(CONTROL)
ADDSD 'CICSTS31.CICS.applid.DFHINTRA' NOTIFY(cics_sys_admin_id) UACC(NONE)
PERMIT 'CICSTS31.CICS.applid.DFHINTRA' ID(applid_userid) ACCESS(CONTROL)
ADDSD 'CICSTS31.CICS.applid.DFHTEMP' NOTIFY(cics_sys_admin_id) UACC(NONE)
PERMIT 'CICSTS31.CICS.applid.DFHTEMP' ID(applid_userid) ACCESS(CONTROL)
ADDSD 'CICSTS31.CICS.DFHCSD' NOTIFY(cics_sys_admin_id) UACC(NONE)
PERMIT 'CICSTS31.CICS.DFHCSD' ID(cics_group1,..,cics_groupn) ACCESS(UPDATE)
/*
//
You could also consider protecting all these data sets with one generic profile called 'CICSTS31.CICS.**'. However, you must strictly control who has read access to CICSTS31.CICS.SDFHAUTH, because it contains APF-authorized programs, and the profile protecting this data set must be defined with UACC(NONE). In Figure 1 all of the partitioned data sets are defined with UACC(NONE) and have an explicit access list.
Although CICS modules exist in libraries SYS1.CICSTS31.CICS.SDFHLPA and SYS1.CICSTS31.CICS.SDFHLINK, no CICS region userid requires access to these libraries.
By establishing a naming convention for the data sets belonging to each region,and one generic profile for each CICS region, with the CICS VTAM® APPLID as one of the data set qualifiers, you can ensure that only one CICS region has access to the data sets. In the examples shown in Figure 1, all the names have a high-level qualifier of CICSTS31.CICS, but your installation will have its own naming conventions for you to follow.
CICS needs CONTROL access for the transient data intrapartition, temporary storage, and CICS availability manager (CAVM) data sets.
The CICS system definition data set (CSD) is protected by a discrete profile to which all CICS groups have access. This assumes that all the CICS regions are sharing a common CSD. If your CICS regions do not share a common CSD and each region has its own CSD, or if groups of regions share a CSD, define discrete or generic data set profiles as appropriate.