Example: Protecting all CICSPlex SM resources

To create the RACF® profile to protect all CICSPlex® SM resources, do the following:
  1. Ensure that the CPSMOBJ class is active and that generic profiles can be defined:
        SETROPTS CLASSACT(CPSMOBJ) GENERIC(CPSMOBJ)
  2. Create a RACF profile to protect all views and action commands for all CICSPlex SM functions:
        RDEF CPSMOBJ ** UACC(NONE) OWNER(admin_group) NOTIFY(admin_user)

    This command defines a profile (**) that RACF treats as matching all CPSMOBJ resource entity names, and which therefore protects all CICSPlex SM resources; it also specifies that admin_user is to be notified of any violations.

  3. The next step is very similar to Step 2: we define one RACF profile for each CICSplex in the configuration. Each profile will protect all CICSPlex SM functions and resources for that CICSplex. The purpose of doing this is to give you more flexibility in granting access to CICSplex-specific resources. In this example, we have two CICSplexes, and so create two RACF profiles:
        RDEF CPSMOBJ *.*.PLXPROD1.* UACC(NONE) OWNER(admin_group) +
             NOTIFY(admin_user)
        RDEF CPSMOBJ *.*.PLXPROD2.* UACC(NONE) OWNER(admin_group) +
             NOTIFY(admin_user)

    Note that you can't replace Step 2 with multiple CICSplex-specific profiles: such profiles won't necessarily protect CICSplexes that you create later, nor can they protect CICSPlex SM functions whose context is the CMAS rather than the CICSplex. For example, the CONFIG views would be left unprotected if you didn't also perform Step 2.

  4. In Step 3 we protected all CICSPlex SM functions and resources at the CICSplex level. In this step, we're going to define profiles to control access to the CICSPlex SM CONFIG and TOPOLOGY definition functions, so that we can selectively permit any "special" users, such as administrators, the access they need. (Anyone who has update access to these two functions can alter the CICSplex configuration, and so access must be limited.)
        RDEF CPSMOBJ CONFIG.DEF.** UACC(NONE) OWNER(admin_group)
        RDEF CPSMOBJ TOPOLOGY.DEF.** UACC(NONE) OWNER(admin_group)
Now that we've controlled access to CICSPlex SM functions and resources, we can begin to grant access to particular users or groups of users.