To determine who requires access to the CICSPlex® SM resources, answer the questions and complete the matrix. You can
then use the results to create the PERMIT statements that are required
in RACF to control access to the resources.
About this task
You can control access to
CICSPlex SM resources in two ways:
- By restricting access to the objects managed by CICSPlex SM views. This restriction does not affect access to the views themselves,
but it prevents them from displaying any data.
- By restricting access to Web User Interface view sets, menus and
the View Editor. This restriction does not affect access to the objects
being managed but prevents access to the view sets, menus and View
Editor themselves.
Procedure
- Answer the following questions to determine who requires
access to the CICSPlex SM resources:
- What groups of users will use CICSPlex SM?
- Your enterprise probably already has several user groups defined
to RACF®. The groups that typically require access
to CICSPlex SM include systems programming, operations, the help desk, applications
programming, and performance monitoring. These groups are used as
column headings in the security matrix. You can supply their corresponding RACF group IDs. (If necessary, you can ignore, replace, or
add groups to the matrix as appropriate for your enterprise.)
- Which CICSPlex SM views will each group need to use?
- CICSPlex SM manages CICS® resources using views. Views are grouped
by functionality: configuration, topology, workload management, real-time
analysis, operations, monitoring, business application services, and
CICSplex management. Not all view groups are appropriate for all users.
Certain groups of users will only use a subset of views. For example,
the systems programming group might need to work with all views, while
the help desk group might only need to use one or two. The view groups
are listed vertically on the left side of the matrix, along with the
high-level qualifier of their CICSPlex SM resource names.
- What type of access does each RACF group
need?
- After deciding who needs to use what, stop universal access to
all of the objects managed by all of the views. You can then selectively
permit read, update, or alter access to specific view groups. To complete
the matrix, specify READ, UPDATE, or ALTER access for each RACF group that needs access to a group of views.
- Specify READ access to allow a user to inquire on a resource.
- Specify UPDATE access to allow a user to change a value, using
the SET or UPDATE command, or perform an action. The user can also
create or remove a definition, such as a BAS resource object.
- Specify ALTER access to allow a user to discard an installed resource
from CICS and allow a user to install a BAS resource object.
Tip: For application programmers, if you need to
control who is allowed to use the CPSM option on the CICS translator,
you can use RACF to control who is allowed to load the DFHSMTAB
table at translation time. For a description of RACF program control,
see the z/OS Security Server RACF Security Administrator's Guide. DFHSMTAB is the language definition table that defines the CICSPlex SM API commands. It
is loaded only on demand.
- Which CICSPlex SM Web User Interface views, menus will each group need access to?
- Web User Interface views and menus are usually user-defined but
like Web User Interface views are most likely grouped by functionality.
Not all view sets and menus are appropriate for all users. Certain
groups of users require access to a subset of views. For example,
the systems programming group might require access to all views and
to the View Editor, while the help desk group might not need to use
the View Editor or those views that manage the definition of CICSPlex SM resources.
- Fill out the security matrix when you have answered the
questions.
Table 1. Security matrixRACF group →
CICSPlex SM view group ↓
|
System
Programming
ID( )
|
Operations
ID( )
|
Help Desk
ID( )
|
Application
Programming
ID( )
|
Performance
ID( )
|
Configuration
CONFIG
|
|
|
|
|
|
Topology
TOPOLOGY
|
|
|
|
|
|
Workload Management
WORKLOAD
|
|
|
|
|
|
Real-Time Analysis
ANALYSIS
|
|
|
|
|
|
Operations
OPERATE
|
|
|
|
|
|
Monitor
MONITOR
|
|
|
|
|
|
Business Application Services
BAS
|
|
|
|
|
|
|
|
|
|
|
|
Table 2 is a sample of a
completed security matrix for a production CICSplex:
Table 2. Sample security matrixRACF group →
CICSPlex SM view group ↓
|
System
Programming
ID(SYSPGRP)
|
Operations
ID(OPSGRP)
|
Help Desk
ID(HELPGRP)
|
Application
Programming
ID(APPLGRP)
|
Performance
ID(PERFGRP)
|
Configuration
CONFIG
|
UPDATE |
|
|
|
|
Topology
TOPOLOGY
|
UPDATE |
UPDATE |
READ |
|
|
Workload Management
WORKLOAD
|
UPDATE |
|
|
READ |
|
Real-Time Analysis
ANALYSIS
|
UPDATE |
UPDATE |
READ |
|
READ |
Operations
OPERATE
|
ALTER |
UPDATE |
READ |
READ |
READ |
Monitor
MONITOR
|
UPDATE |
READ |
|
|
READ |
Business Application Services
BAS
|
ALTER |
ALTER |
|
UPDATE |
|
|
|
|
|
|
|
- Ensure that the CPSMOBJ class is active and that generic
profiles can be defined:
SETROPTS CLASSACT(CPSMOBJ)
SETROPTS GENERIC(CPSMOBJ)
SETROPTS GENCMD(CPSMOBJ)
- Create a RACF profile to protect all of
the views and action commands for all CICSPlex SM functions:
RDEF CPSMOBJ ** UACC(NONE) OWNER(admin_group) NOTIFY(admin_user)
CPSMOBJ is the CICSPlex SM member class. The double asterisks indicate that all of the CICSPlex SM views are included in this RDEF statement.
- Using the information in the sample matrix, you can permit
access to the specific view groups. For example, the
systems programming group requires update access to all of the view
groups and ALTER access to the BAS views. You can define this with
just three PERMIT statements:
PERMIT ** CLASS(CPSMOBJ) ID(SYSPGRP) ACCESS(UPDATE)
PERMIT BAS.** CLASS(CPSMOBJ) ID(SYSPGRP) ACCESS(ALTER)
The double asterisks indicate that all of the CICSPlex SM views are affected by this PERMIT statement.The following PERMIT
statements grant the appropriate access to all of the topology views
for the operations and help desk groups:
PERMIT TOPOLOGY.** CLASS(CPSMOBJ) ID(OPSGRP) ACCESS(UPDATE)
PERMIT TOPOLOGY.** CLASS(CPSMOBJ) ID(HELPGRP) ACCESS(READ)
For the workload management views:
PERMIT WORKLOAD.** CLASS(CPSMOBJ) ID(APPLGRP) ACCESS(READ)
For the real-time analysis views:
PERMIT ANALYSIS.** CLASS(CPSMOBJ) ID(OPSGRP) ACCESS(UPDATE)
PERMIT ANALYSIS.** CLASS(CPSMOBJ) ID(HELPGRP) ACCESS(READ)
PERMIT ANALYSIS.** CLASS(CPSMOBJ) ID(PERFGRP) ACCESS(READ)
For the operations views:
PERMIT OPERATE.** CLASS(CPSMOBJ) ID(OPSGRP) ACCESS(UPDATE)
PERMIT OPERATE.** CLASS(CPSMOBJ) ID(HELPGRP) ACCESS(READ)
PERMIT OPERATE.** CLASS(CPSMOBJ) ID(APPLGRP) ACCESS(READ)
PERMIT OPERATE.** CLASS(CPSMOBJ) ID(PERFGRP) ACCESS(READ)
For the monitor views:
PERMIT MONITOR.** CLASS(CPSMOBJ) ID(APPLGRP) ACCESS(READ)
PERMIT MONITOR.** CLASS(CPSMOBJ) ID(PERFGRP) ACCESS(READ)
For the business application services views:
PERMIT BAS.** CLASS(CPSMOBJ) ID(OPSGRP) ACCESS(ALTER)
PERMIT BAS.** CLASS(CPSMOBJ) ID(APPLGRP) ACCESS(UPDATE)
Results
For simplicity, these PERMIT statements grant access to broad
groups of views by using the double asterisks in the resource names.
However, if required, you can use more specific resource names in
your PERMIT statements. Refer to
Specifying CICSPlex SM resource names in profiles for details.
What to do next
Using your own completed security matrix and the information
in the remainder of this section, you can create as many profiles
as required for your enterprise. Example tasks: security provides detailed profile examples.