Security using the XRES resource security parameter

Use security profiles and the XRES system initialization parameter to security check a subset of CICS® resources. An example of how to implement resource security for CICS document templates is provided.

About this task

A CICS security profile names consist of three parts: security_prefix.resource_type.resource_name. CICS profiles are passed to the security manager for checking. Security checking is case sensitive.

Security prefix
The security_prefix is the value specified on the SECPRFX system initialization parameter. The default value for the SECPRFX parameter is NO, which means that the security_prefix is omitted. If the value of the SECPRFX parameter is YES, the security_prefix is the name of the region user ID. Alternatively, you can specify a 1- to 8-character value for the security_prefix.
Resource type
The resource_type specifies the type of resource against which checks are performed. In most instances, each CICS resource has a corresponding security profile; for example, the ATOMSERVICE resource has a security profile with a corresponding resource type:
security_prefix.ATOMSERVICE.resource_name
However, certain CICS resources do not have a corresponding security profile; for example, the BUNDLEPART, OSGIBUNDLE, and OSGISERVICE resources are checked using the BUNDLE security profile.

You can create security profiles that use the following resource types:

  • ATOMSERVICE
  • BUNDLE
  • DOCTEMPLATE
  • EPADAPTER
  • EPADAPTERSET
  • EVENTBINDING
  • JVMSERVER
  • XMLTRANSFORM
For a complete list of the CICS resources, resource types, and commands associated with security checks, see Resource and command check cross-reference.
Note: When you give a user authority to perform an action on a platform or application, you also give them authority to perform the same action on the dynamically generated resources for the platform or application. CICS resource security checks are not carried out when you create or operate on CICS bundles through an application or platform. However, CICS resource security checks do apply when you perform an action directly on an individual BUNDLE resource, or a resource that was defined in a CICS bundle, even if the bundle was created when you installed a platform or application. For more information, see Security for bundles.
Resource name
The resource_name specifies the name of the CICS resource.

Example

This example task explains how to implement resource security for CICS document templates.

CICS document templates are controlled in the following cases:
  • Document templates delivered as a static response to a web client request (specified on the TEMPLATENAME attribute of the URIMAP definition for the request).
  • Document templates delivered as part of an application-generated response to a web client request (used by an application program that handles the request).
  • All EXEC CICS CREATE, INQUIRE, DISCARD, and SET DOCTEMPLATE commands.
  • All EXEC CICS DOCUMENT INSERT and CREATE commands with the TEMPLATE option.

The EXEC CICS DOCUMENT commands reference document templates using the 48-character name of the template, as specified in the TEMPLATENAME attribute of the DOCTEMPLATE resource. However, security checking for these commands uses the name of the DOCTEMPLATE resource that corresponds to the TEMPLATENAME attribute. So you can set up one profile name for each document template, using the name of the DOCTEMPLATE resource, and not the TEMPLATENAME attribute.

Note: Document templates can be retrieved from a variety of sources including partitioned data sets, CICS programs, CICS files, z/OS® UNIX System Services files, temporary storage queues, transient data queues, and exit programs. When resource security checking is carried out for a document template, CICS does not perform any additional security checking on the resource that supplies the document template, even if resource security is specified for that type of resource in the CICS region.

Complete the following steps to implement resource security for CICS document templates:

  1. Define profiles to RACF® in the default RCICSRES resource class or WCICSRES grouping class, or their equivalents if you have user-defined resource class names.

    For the profile names, use the name of the DOCTEMPLATE resource definition, prefixed by the resource type DOCTEMPLATE, and any additional prefix specified by the SECPRFX system initialization parameter for the CICS region.

    For example, use the following commands to define document templates in the RCICSRES class, and authorize users to use them to assemble documents:
    RDEFINE  RCICSRES  (DOCTEMPLATE.doc1, DOCTEMPLATE.doc2, .., DOCTEMPLATE.docn) UACC(NONE)
                  NOTIFY(sys_admin_userid)
PERMIT DOCTEMPLATE.doc1 CLASS(RCICSRES) ID(group1, group2) ACCESS(READ)
    To define document templates as members of a profile in the WCICSRES resource grouping class, with an appropriate access list, use the following commands: 
    RDEFINE  WCICSRES  (doc_groupname) UACC(NONE)
                   ADDMEM(DOCTEMPLATE.doca, DOCTEMPLATE.docb) NOTIFY(sys_admin_userid)
PERMIT doc_groupname CLASS(WCICSRES) ID(group_userid) ACCESS(READ)
    After you have issued the RDEFINE command for the RCICSRES or WCICSRES class, if the class is not yet active, you need to activate it by issuing a SETROPTS command. For example:
    SETROPTS CLASSACT(RCICSRES) RACLIST(RCICSRES)
    If the class is active, refresh it using the SETROPTS command:
    SETROPTS RACLIST(RCICSRES) REFRESH

  2. Specify SEC=YES as a CICS system initialization parameter (and SECPRFX=YES if you define profiles with a prefix).

  3. Specify XRES=YES for the default resource class names of RCICSRES and WCICSRES, or XRES=name for user-defined resource class names.

    XRES=YES is the default.

  4. Specify RESSEC(YES) in the TRANSACTION resource definition of the transactions that access the CICS document templates.

    For CICS web support, the transaction for all static responses is CWXN, or an alternate transaction that you have specified in place of CWXN using the TRANSACTION attribute on your TCPIPSERVICE definitions. The transaction for application-generated responses is an alias transaction, which can be specified in the URIMAP definition for the request or set by an analyzer program, and defaults to CWBA.

    As supplied by CICS, the definition for CWXN specifies RESSEC(YES), but the definition for CWBA specifies RESSEC(NO), and for TRANSACTION resource definitions in general the default is RESSEC(NO).