To create the RACF® profile to protect all
CICSPlex® SM resources, do the following:
- Ensure that the CPSMOBJ class is active and that generic
profiles can be defined:
SETROPTS CLASSACT(CPSMOBJ) GENERIC(CPSMOBJ)
- Create a RACF profile to protect all views and action commands
for all CICSPlex SM functions:
RDEF CPSMOBJ ** UACC(NONE) OWNER(admin_group) NOTIFY(admin_user)
This command defines a profile (**) that RACF treats as matching
all CPSMOBJ resource entity names, and which therefore protects
all CICSPlex SM resources; it also specifies that admin_user is to be
notified of any violations.
- The next step is very similar to Step 2: we
define one RACF profile for each CICSplex in the configuration. Each profile
will protect all CICSPlex SM functions and resources for that CICSplex. The purpose
of doing this is to give you more flexibility in granting access to CICSplex-specific
resources. In this example, we have two CICSplexes, and so create two RACF profiles:
RDEF CPSMOBJ *.*.PLXPROD1.* UACC(NONE) OWNER(admin_group) +
NOTIFY(admin_user)
RDEF CPSMOBJ *.*.PLXPROD2.* UACC(NONE) OWNER(admin_group) +
NOTIFY(admin_user)
Note that you can't replace Step 2 with multiple CICSplex-specific profiles: such profiles
won't necessarily protect CICSplexes that you create later, nor can they
protect CICSPlex SM functions whose context is the CMAS rather than the CICSplex.
For example, the CONFIG views would be left unprotected if you didn't
also perform Step 2.
- In Step 3 we protected all CICSPlex SM functions and resources
at the CICSplex level. In this step, we're going to define profiles to control
access to the CICSPlex SM CONFIG and TOPOLOGY definition functions, so that we
can selectively permit any "special" users, such as administrators, the
access they need. (Anyone who has update access to these two functions can
alter the CICSplex configuration, and so access must be limited.)
RDEF CPSMOBJ CONFIG.DEF.** UACC(NONE) OWNER(admin_group)
RDEF CPSMOBJ TOPOLOGY.DEF.** UACC(NONE) OWNER(admin_group)
Now that we've controlled access to
CICSPlex SM functions and resources,
we can begin to grant access to particular users or groups of users.