 |
|
| Data Center Tips: |
|
|
|
CICS NEWSLETTER
CICS command security
Phil Emrich
08.24.2006
Rating: -3.00- (out of 5)
|
I'm running z/OS 1.4 and CICS TS 2.2 for CICS. Is there any way to monitor who used CEMT and command (SET,Perform) in CICS?
You indicated that you specified SEC=YES, XTRAN=YES, and XCMD=YES in the CICS initialization parameters. You didn't describe the problem you encountered, but I'll assume it was related to the CICS command security mechanism that was enabled by specifying XCMD=YES.
You didn't identify any profiles you defined in the RACF supplied resource classes used for CICS command security, member class CCICSCMD and group class VCICSCMD. The resource names that you may define as member class profiles or as member names within group class profiles are documented in Table 12 within Chapter 8 of the CICS RACF Security
Guide. The manual number for the CICS TS V2,R2 version of this book is
SC34-6011-00.
For any profiles you have defined in the CCICSCMD or VCICSCMD classes, you can cause RACF to create an SMF TYPE 80 record for any CICS SET,
PERFORM, CREATE, or DISCARD commands by issuing the following commands for each of the existing profiles:
RALT CCICSCMD profile_name AUDIT(SUCCESS(UPDATE)) or
RALT VCICSCMD profile_name AUDIT(SUCCESS(UPDATE))
Whether or not you have defined profiles in the CCICSCMD or VCICSCMD
classes to cover all of the documented resource names, it's desirable to define the following profile in the CCICSCMD resource class:
RDEF CCICSCMD ** OWNER(.....) UACC(READ)
This profile will allow any EXEC CICS INQUIRE or COLLECT commands to execute successfully for any resource names not covered by one of the other profiles, but will cause any request to change the status of any of CICS resource types not covered by other profiles to fail with a NOTAUTH response and produce both an ICH408I message and an SMF TYPE
80 record for the failed attempt to execute an EXEC CICS SET, PERFORM,
CREATE, or DISCARD command.
If you are also using any of the additional pairs of RACF resource classes for CICS programs, files, TD queues, TS queues, journals, or started transactions, specified by the XPPT, XFCT, XDCT, XTST, XJCT, or XPCT initialization parameters, you may also encounter security problems with using supplied transaction definition for CEMT in RDO group DFHOPER as this definition specifies RESSEC(YES) as well as
CMDSEC(YES).
This definition for CEMT will require the user to have access to the resource security profile covering the resource name as well as access to the command security profile covering the type of resource, at the required level, to allow commands to be processed.
You can create an alternate definition for CEMT with RESSEC(NO) by copying the supplied definition to an RDO group of your choosing and then altering the RESSEC option. If the DFHOPER group is included in the lists of groups installed in CICS during COLD start processing, ensure that the group containing your alternate definition for CEMT follows the DFHOPER group so that your definition will override the supplied definition for CEMT.
Editor's note: Do you agree with this expert's response? If you have more to share, post it in one of our discussion forums.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchDataCenter.com.
Register now
to start rating these tips. Log in if you are already a member.
|
Submit a Tip
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
|
|
|
| TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of . |
|
| |
All Rights Reserved, , TechTarget |
|
|
|
|
|
