Reviewing and defining IVP security
You can run the IVP jobs with or without external security. To run the IVP jobs with external security, you must define to RACF® an IVP default CICS® user ID that has authority to run the transactions used as part of the IVP jobs.
Reviewing security requirements
As supplied, the system initialization parameters specify that external security is on. However, the IVP jobs have been set up with SEC=NO, indicating that external security is not on. The system initialization parameters also specify that the IVP jobs are subject to transaction security (XTRAN=YES), resource security (Xyyy=YES), and command security (XCMD=YES).
As supplied, the DFH$SIP2 member of the SYSIN data set used by the DFHIVPBT job specifies SEC=NO, so that you can run this job without external security.
- Define CICS resource profiles to RACF.
- Define an IVP default CICS user ID to RACF.
- Specify the IVP user ID on the DFLTUSER=userid system initialization parameter.
- Authorize the IVP user ID to run the transactions that are used as part of the IVP jobs. (See Table 1.) To do so, add the IVP user ID, with READ access, to the access list of the RACF profiles for the transaction member class (TCICSTRN) or the transaction group class (GCICSTRN).
- If you define the transactions as prefixed resources, you must also specify the system initialization parameter SECPRFX={YES |prefix} for the IVP jobs.
- Authorize the IVP user ID to access the resources that are used by the transactions. To do so, you add the IVP user ID, with appropriate authority, to the access list for the resource class profiles.
- Authorize the IVP user ID to issue SP-type commands using the CEMT main terminal transaction. To do so, you add the IVP user ID, with appropriate authority, to the access list of the RACF profiles for the resource member class (CCICSCMD) or the resource group class (VCICSCMD). You must give the IVP user ID UPDATE access for the SHUTDOWN resource class; otherwise, the user ID cannot end the IVP jobs. Give the IVP user ID UPDATE access for the DUMPDS and SYSTEM resource classes, if the DFHIVPBT job is to be run with external security.
- Without command security (XCMD=NO), the IVP user ID runs the IVP jobs without requiring authority to use the CEMT SP-type commands and the resources that they access.
- With transaction security only (Xyyy=NO including XCMD=NO), the IVP user ID runs the IVP jobs if authorized to use only the transactions used as part of the IVP jobs.
Authorizing the IVP user ID
To run the IVP jobs with external security, you must define to RACF an IVP default CICS user ID that has authority to run the transactions used as part of the IVP jobs.These transactions include the CICS-supplied transactions that are listed in Table 1. The level of authority that is required by the IVP user ID depends on the security that you want to use for the IVP jobs. On a production system, the default user must not have access to any CICS-supplied transactions except those that you require in your CICS environment. Make the resource access authorizations that you give to the default user clearly limited to those resources that you intend to be universally available, and therefore not restricted in any way.
For information about the security requirements for CICS-supplied transactions, and about CICS security in general, see Security for CICS-supplied transactions.
| Application | Transactions |
|---|---|
| DFH$BTCH | CWTO, CEMT, CEOT, CSFE |
| FILEA samples | |
| DFH$MNU | AMNU, MENU, PMNU, DMNU |
| DFH$ALL |
AINQ, INQY, PINQ, DINQ
AADD, ADDS, PADD, DADD AUPD, UPDT, PUPD, DUPD |
| DFH$xBRW | ABRW, BRWS, PBRW, DBRW |
| DFH$REN | AORD, OREN, PORD, DORD |
| DFH$xCOM | AORQ, OREQ, PORQ, DORQ |
| DFH$REP | AREP, REPT, PREP, DREP |
| Other functions | CETR, CEDA, CMAC, CMSG, CSGM |