For transaction and resource security checking, you identify the resources to RACF® using the identifiers you have assigned to them, such as file names, queue names, transaction names, and so on. However, in the case of command security, the resource identifiers are all predefined by CICS®, and you use these predefined names when defining resource profiles to RACF. The full list of resource identifiers that are subject to command security checking, together with the associated commands, is shown in Table 1. Note that most of these commands are common to both the CEMT and EXEC CICS interfaces; where they are unique to one or the other they are prefaced with CEMT, or EXEC CICS, as appropriate.
Resource name (see note 1) | Related CICS command(s) |
---|---|
AUTINSTMODEL | INQUIRE AUTINSTMODEL |
AUTOINSTALL | INQUIRE AUTOINSTALL |
BEAN | INQUIRE BEAN |
BRFACILITY | INQUIRE BRFACILITY |
CFDTPOOL | INQUIRE CFDTPOOL |
CLASSCACHE | INQUIRE CLASSCACHE |
CONNECTION | INQUIRE CONNECTION |
CORBASERVER | INQUIRE CORBASERVER |
DB2CONN | INQUIRE DB2CONN |
DB2ENTRY | INQUIRE DB2ENTRY |
DB2TRAN | INQUIRE DB2TRAN |
DELETSHIPPED | INQUIRE DELETSHIPPED |
DISPATCHER | INQUIRE DISPATCHER |
DJAR | INQUIRE DJAR Note: ALTER access to the associated DJAR resource is
required for the PERFORM CORBASERVER SCAN command.
|
DOCTEMPLATE | INQUIRE DOCTEMPLATE |
DSNAME | INQUIRE DSNAME |
DUMP | PERFORM DUMP |
DUMPDS | INQUIRE DUMPDS |
ENQMODEL | INQUIRE ENQMODEL |
![]() ![]() |
![]() ![]() |
EXITPROGRAM | EXEC CICS ENABLE PROGRAM |
FEPIRESOURCE | Certain EXEC CICS FEPI commands (see note 3) |
FILE | INQUIRE FILE |
![]() ![]() |
![]() INQUIRE HOST ![]() |
IRC | INQUIRE IRC |
JOURNALMODEL | EXEC CICS INQUIRE JOURNALMODEL |
![]() ![]() |
![]() INQUIRE JOURNALNAME ![]() |
JVM | INQUIRE JVM |
JVMPOOL | INQUIRE JVMPOOL |
JVMPROFILE | INQUIRE JVMPROFILE |
LINE | CEMT INQUIRE LINE |
LSRPOOL | CREATE LSRPOOL |
MAPSET | CREATE MAPSET |
MODENAME | INQUIRE MODENAME |
MONITOR | INQUIRE MONITOR |
![]() ![]() |
![]() COLLECT STATISTICS ![]() |
PARTITIONSET | CREATE PARTITIONSET |
PARTNER | INQUIRE PARTNER |
![]() ![]() |
![]() CREATE PIPELINE ![]() |
PROCESSTYPE | CEMT DEFINE PROCESSTYPE |
PROFILE | INQUIRE PROFILE |
PROGRAM | INQUIRE PROGRAM |
REQID | EXEC CICS INQUIRE REQID |
RESETTIME | PERFORM RESETTIME (see note 4) |
REQUESTMODEL | INQUIRE REQUESTMODEL |
RRMS | INQUIRE RRMS |
SECURITY | PERFORM SECURITY REBUILD |
SESSIONS | CREATE SESSIONS |
SHUTDOWN | PERFORM SHUTDOWN (see note 2) |
STATISTICS | INQUIRE STATISTICS |
STORAGE | INQUIRE STORAGE |
STREAMNAME | INQUIRE STREAMNAME |
SUBPOOL | INQUIRE SUBPOOL |
SYSDUMPCODE | INQUIRE SYSDUMPCODE (see note 4) |
SYSTEM | INQUIRE SYSTEM |
TASK | INQUIRE TASK |
TCLASS | INQUIRE TCLASS |
TCPIP | INQUIRE TCPIP |
TCPIPSERVICE | INQUIRE TCPIPSERVICE |
TDQUEUE | INQUIRE TDQUEUE |
TERMINAL | INQUIRE TERMINAL |
TRACEDEST | EXEC CICS INQUIRE TRACEDEST |
TRACEFLAG | EXEC CICS INQUIRE TRACEFLAG |
TRACETYPE | EXEC CICS INQUIRE TRACETYPE |
TRANDUMPCODE | INQUIRE TRANDUMPCODE (see note 4) |
TRANSACTION | INQUIRE TRANSACTION |
TSMODEL | INQUIRE TSMODEL |
TSPOOL | INQUIRE TSPOOL |
TSQUEUE | EXEC CICS INQUIRE TSQUEUE |
TSQNAME | INQUIRE TSQNAME |
TYPETERM | CREATE TYPETERM |
UOW | INQUIRE UOW |
UOWDSNFAIL | INQUIRE UOWDSNFAIL |
UOWENQ | INQUIRE UOWENQ |
UOWLINK | INQUIRE UOWLINK |
![]() ![]() |
![]() INQUIRE URIMAP ![]() |
VTAM® | INQUIRE VTAM |
WEB | INQUIRE WEB |
![]() ![]() |
![]() CREATE WEBSERVICE ![]() |
WORKREQUEST | INQUIRE WORKREQUEST |
If you are running CICS with command security, define resource profiles to RACF, with access lists as appropriate, using the resource names in Table 1 as the profile names. Alternatively, you can create resource group profiles in the VCICSCMD class.
RDEFINE VCICSCMD CMDSAMP UACC(NONE)
NOTIFY(sys_admin_userid)
ADDMEM(AUTINSTMODEL, AUTOINSTALL, CONNECTION,
DSNAME, TRANSACTION, TRANDUMPCODE, VTAM)
PERMIT CMDSAMP CLASS(VCICSCMD) ID(operator_group) ACCESS(READ)
RDEFINE VCICSCMD CMDSAMP1 UACC(NONE)
NOTIFY(sys_admin_userid)
ADDMEM(AUTINSTMODEL, AUTOINSTALL, CONNECTION,
DSNAME, TRANSACTION, TRANDUMPCODE, VTAM)
PERMIT CMDSAMP1 CLASS(VCICSCMD) ID(op_group_2) ACCESS(UPDATE)
If you are running CICS with SEC=YES, users require the access levels shown in Table 1.