Analyzing security definitions using security discovery in CICS Explorer
It is assumed that you already have some transaction security definitions set up, which allow users to access the transaction they need for their job. There is no assumption about whether your users are in groups, or your transactions are in member lists. The process enables you to create or improve your user groups (roles) and member lists, and by using the security discovery data (SDD), to identify anomalies, including unused permissions. If you currently use universal access permissions (UACC), which are not recommended for a zero-trust strategy, these can also be identified and resolved with this analysis process.
This process is likely to take several days, and can be done in a number of stages. You can save your work at any stage. Also, it is possible to export your data for review and implementation in stages. For example, you might have multiple application owners who need to review their application's security definitions, before you process them into your ESM.
- You have a single application in a set of CICS regions. See Analyzing security definitions for a single application in multiple regions.
- You have multiple applications in a set of CICS regions. See Analyzing security definitions for several applications in multiple regions.
Analyzing security definitions for a single application in multiple regions
| Stage | Input | Definitions analyzed | Result | Roles responsible |
|---|---|---|---|---|
| Analyzing security definitions based on similarity | Security metadata containing RACF definitions (.esm file) |
|
|
System programmer |
| Initial review of security definitions for transactions with SDD |
|
|
|
System programmer |
| Understanding and improving security definitions for resources with SDD |
|
|
|
|
At each stage, you can export the security definitions from CICS Explorer as security metadata (.esm). The exported data can be reviewed by application owners or converted back into RACF definitions to make use of whatever changes were made. See Exporting security metadata for review.
Analyzing security definitions for several applications in multiple regions
In this case, you need to identify your transactions and resources associated with each application to work on a subset of data at a time. The Security Discovery editor in CICS Explorer provides an application filter function for you to define an application as well as its associated transactions and resources, making it easier to manage security definitions per application. This allows you to enable additional command and resource security (CMDSEC, RESSEC) for one application at a time.
| Stage | Input | Definitions analyzed | Result | Roles responsible |
|---|---|---|---|---|
| Analyzing security definitions based on similarity | Security metadata containing RACF definitions (.esm file) |
|
|
System programmer |
| Initial review of security definitions for transactions with SDD |
|
|
|
System programmer |
| Defining applications to process work in segments |
|
|
|
|
| Defining security for resources associated with each application |
|
|
|
|
At each stage, you can export the security definitions from CICS Explorer as security metadata (.esm). The exported data can be reviewed by application owners or converted back into RACF definitions to make use of whatever changes were made. See Exporting security metadata for review.