Using command security to control the issuing of SPI commands against DB2CONN, DB2ENTRY, and DB2TRAN resource definitions

Use CICS® command security mechanisms to protect DB2CONN, DB2ENTRY, and DB2TRAN resource definitions.

About this task

The CICS command security mechanism controls users' ability to issue particular SPI commands against types of DB2-related resource. For example, you can use it to control which users are allowed to issue CREATE and DISCARD commands against DB2ENTRY resource definitions. Unlike resource security, CICS command security cannot protect individual named resources; it is designed to protect types of resource. You can use command security to protect DB2CONN, DB2ENTRY, and DB2TRAN resource definitions.

When command security is enabled for a transaction, the external security manager checks that the user ID associated with the transaction is authorized to use that command to modify the type of resource that is involved. CICS command security has more information about this process.

If you have both resource security and command security enabled for a particular transaction, RACF® performs two security checks against the user ID. For example, if a transaction involves the user issuing a DISCARD command against DB2ENTRY definition db2ent1, RACF checks:
  1. That the user ID is authorized to issue the DISCARD command (ALTER authority) against the DB2ENTRY resource type.
  2. That the user ID is authorized to access the DB2ENTRY definition db2ent1 with ALTER authority.

To protect your DB2-related resources using command security, complete these steps:

Procedure

  1. To enable RACF, or an equivalent external security manager, for a CICS region, specify SEC=YES as a system initialization parameter for the region.
  2. Add the DB2® resource names DB2CONN, DB2ENTRY, and DB2TRAN as resource identifiers in one of the IBM-supplied RACF resource classes for CICS commands, CCICSCMD or VCICSCMD.
    Alternatively, you can use a user-defined general resource class for your CICS commands. CICS resources subject to command security checking tells you more about this.
    For example, you can use the REDEFINE command to define a profile named CMDSAMP in the default class VCICSCMD, and use the ADDMEM operand to specify that the DB2 resource types are to be protected by this profile, as follows: 
    
 RDEFINE  VCICSCMD CMDSAMP UACC(NONE)
                  NOTIFY(sys_admin_userid)
                  ADDMEM(DB2CONN, DB2ENTRY, DB2TRAN)
  3. To make command security available for a CICS region:
    1. If you have used the IBM-supplied RACF resource classes CCICSCMD or VCICSCMD for CICS command profiles, specify XCMD=YES as a system initialization parameter for the region.
      Specifying YES means that CCICSCMD and VCICSCMD are used to build RACF's in-storage profiles.
    2. If you have used a user-defined general resource class for CICS commands, specify XCMD=user_class as a system initialization parameter for the region, where user_class is the name of the user-defined general resource class.
  4. Specify CMDSEC=YES in the resource definition for any transactions involving DB2-related resources for which you want to enable command security. Now, when a user tries to use one of these transactions to issue a command to modify one of the DB2-related resources that you have protected, RACF checks that the user ID is authorized to issue that command against that type of resource.
  5. Give permission to your CICS users, or groups of users, to issue appropriate commands against each type of DB2-related resource. For command security, you need to give separate permissions relating to the DB2TRAN resource type, as well as to the DB2ENTRY resource type. You can also protect the DB2CONN resource type (that is, the CICS region's DB2CONN definition).
    The access that users need to issue certain commands is as follows:
    INQUIRE command
    Requires READ authority
    SET command
    Requires UPDATE authority
    CREATE command
    Requires ALTER authority
    DISCARD command
    Requires ALTER authority
    For example, if you have defined the DB2 resource types in the CMDSAMP profile as in the example in Step 2, you can use the PERMIT command to authorize a group of users to issue EXEC CICS INQUIRE commands against the DB2 resource types as follows: 
    
PERMIT CMDSAMP CLASS(VCICSCMD) ID(operator_group) ACCESS(READ)
    Within a transaction, you can query whether a user ID has access to DB2 resource types by using the EXEC CICS QUERY SECURITY RESTYPE(SPCOMMAND) command, with the RESID parameter specifying DB2CONN, DB2ENTRY, or DB2TRAN.