Security for bundles

Different security profiles and checks apply to BUNDLE resources created from a definition, and to BUNDLE resources that are created when you install an application or platform.

Security for BUNDLE definitions

For CICS® bundles that are defined in individual CICS regions, CICS command and resource security checks apply when you perform actions on the BUNDLE resource, in the same way as they do for other CICS resources. The XRES system initialization parameter for the CICS region specifies whether or not security checking is carried out for the BUNDLE resource type, among others. Resource security for bundles is controlled by a BUNDLE security profile. The BUNDLE security profile also applies to BUNDLEPART, OSGIBUNDLE, and OSGISERVICE resources.

Stand-alone CICS bundles need to be made available or unavailable only if they contain application entry points. Operators with UPDATE access for the security profile for a stand-alone CICS bundle, which specifies the BUNDLE resource type and the name of the BUNDLE resource, can make the resource available or unavailable.

For resources that are dynamically created by CICS bundles, no additional CICS command security checks and resource security checks take place for those resource types, either when the resources are dynamically created at bundle install time, or when you manipulate the resources by making changes to the CICS bundles. However, CICS command security and resource security for those resource types do apply when you inquire on the dynamically created resources, or if you manipulate the dynamically created resources directly.

Security for BUNDLE resources generated by applications and platforms

When an application or platform is installed in a CICSplex, any CICS bundles that are part of the deployment are dynamically created in the appropriate CICS regions by CICSPlex® SM. Each BUNDLE resource is dynamically created, and is given a unique generated name beginning with the $ character.

You give users authority to install a platform or an application by giving them the appropriate access for the CLOUD.DEF, CLOUD.PLATFORM, and CLOUD.APPLICATION security profiles in CICSPlex SM. When you give users this authority, you also give them authority to install the dynamically created BUNDLE resources in the CICS regions. CICS command security checks and resource security checks are not made when CICS bundles are installed as part of an application or platform. Simulated CICS security checking in CICSPlex SM is also not done when CICS bundles are installed as part of an application or platform.

When you make available or unavailable, enable or disable, or inquire on, a BUNDLE resource that was dynamically created when you installed an application or platform, CICS command and resource security checks and simulated CICS security checking in CICSPlex SM apply only if you perform the action directly on the individual CICS bundle. If the CICS bundle is made available or unavailable, enabled or disabled, or inquired on, by an action that you perform on the application or platform, security checking for the application or platform applies instead. You cannot discard an individual CICS bundle directly if it was created when you installed an application or platform.

Tip: To provide security for actions on individual CICS bundles that were dynamically created when you installed an application or platform, you can set up a security profile specifying the BUNDLE resource type and the resource name $*. Users with UPDATE access for BUNDLE.$* can make available or unavailable, or enable or disable, BUNDLE resources created for platforms and applications, and users with READ access can inquire on those BUNDLE resources.

The resources that are defined inside each CICS bundle installed for an application or platform are dynamically created in the CICS regions during the installation of the dynamically created BUNDLE resource. CICS command security checks and resource security checks for the individual resource types do not take place when these resources are dynamically created in the CICS regions. However, CICS command security and resource security for the individual resource types do apply when you inquire on the dynamically created resources. You cannot directly enable, disable, or discard the dynamically created resources in the CICS regions.

If you apply security measures to individual PROGRAM resources, for applications that are deployed on platforms, secure the programs that are declared as application entry points, but do not secure other programs in the applications. The security settings that you specify for a program that is part of an application deployed on a platform apply to both public and private programs, and do not take into account the version of the application. Programs that are declared as an application entry point must have a unique PROGRAM resource name in your environment. However, if you secure programs that run at a lower level in the application, programs with the same names might be running in different applications, which can lead to unforeseen consequences. In this situation, a user might have permission to access a program that is declared as an application entry point, but not have permission to access a program that runs at a lower level in the application, because the security settings from another instance of the program name are in effect. Consider the security measures that you apply to a program that is declared as an application entry point program, as applying to the whole application.

If you used CICS bundles in earlier CICS releases, check the security permissions that you gave to users for those bundles. Depending on the way in which you set up security for CICS bundles, users with authority to take actions on individual CICS bundles might now be able to act on resources that are dynamically created as part of the installation of a bundle. Ensure that the levels of authority for BUNDLE resources are still appropriate.

For more information on security for applications and platforms and the CLOUD.DEF, CLOUD.PLATFORM, and CLOUD.APPLICATION security profiles, see Security for platforms and applications.