Resources subject to command security checking
For transaction and resource security checking, you identify the resources to RACF® by using the identifiers that you assigned to them; for example, file names, queue names, and transaction names. However, for command security, the resource identifiers are all predefined by CICS®, and you use these predefined names when you define resource profiles to RACF or as the RESID values on the QUERY SECURITY command.
The full list of resource identifiers that are subject to command security checking with the associated commands is shown in Table 1. Most of these commands are common to both the CEMT and EXEC CICS interfaces; commands that are specific to CEMT have the CEMT prefix.
If you use prefixing, the value that is specified by the SECPRFX SIT parameter must be prefixed to the command resource name.
If you use QUERY SECURITY to query a user's access to resources, use
identifiers from the Resource identifier column as the RESID values when
issuing the EXEC CICS QUERY SECURITY RESTYPE('SPCOMMAND') command.
| Resource identifier (RESID) | Related CICS commands |
|---|---|
| ASSOCIATION |
INQUIRE ASSOCIATION
SET ASSOCIATION USERCORRDATA |
| ATOMSERVICE | CREATE ATOMSERVICE
DISCARD ATOMSERVICE INQUIRE ATOMSERVICE SET ATOMSERVICE |
| AUTINSTMODEL | DISCARD AUTINSTMODEL
INQUIRE AUTINSTMODEL |
| AUTOINSTALL | INQUIRE AUTOINSTALL
SET AUTOINSTALL |
| BRFACILITY | INQUIRE BRFACILITY
SET BRFACILITY |
| BUNDLE | CREATE BUNDLE
DISCARD BUNDLE INQUIRE BUNDLE SET BUNDLE |
| BUNDLEPART | INQUIRE BUNDLEPART |
| CAPDATAPRED | INQUIRE CAPDATAPRED |
| CAPINFOSRCE | INQUIRE CAPINFOSRCE |
| CAPOPTPRED | INQUIRE CAPOPTPRED |
| CAPTURESPEC | INQUIRE CAPTURESPEC |
| CFDTPOOL | INQUIRE CFDTPOOL |
| CONNECTION | CREATE CONNECTION
DISCARD CONNECTION INQUIRE CONNECTION SET CONNECTION |
| CSD | CSD ADD
CSD ALTER CSD APPEND CSD COPY CSD DEFINE CSD DELETE CSD DISCONNECT CSD ENDBRGROUP CSD ENDBRLIST CSD ENDBRRSRCE CSD GETNEXTGROUP CSD GETNEXTLIST CSD GETNEXTRSRCE CSD INQUIREGROUP CSD INQUIRELIST CSD INQUIRERSRCE CSD INSTALL CSD LOCK CSD REMOVE CSD RENAME CSD STARTBRGROUP CSD STARTBRLIST CSD STARTBRRSRCE CSD UNLOCK CSD USERDEFINE |
| DB2CONN | CREATE DB2CONN
DISCARD DB2CONN INQUIRE DB2CONN SET DB2CONN |
| DB2ENTRY | CREATE DB2ENTRY
DISCARD DB2ENTRY INQUIRE DB2ENTRY SET DB2ENTRY |
| DB2TRAN | CREATE DB2TRAN
DISCARD DB2TRAN INQUIRE DB2TRAN SET DB2TRAN |
| DELETSHIPPED | INQUIRE DELETSHIPPED
PERFORM DELETSHIPPED SET DELETSHIPPED |
| DISPATCHER | INQUIRE DISPATCHER
SET DISPATCHER |
| DOCTEMPLATE | CREATE DOCTEMPLATE
DISCARD DOCTEMPLATE INQUIRE DOCTEMPLATE SET DOCTEMPLATE |
| DSNAME | INQUIRE DSNAME
SET DSNAME |
| DUMP | CEMT PERFORM SNAP
PERFORM DUMP |
| DUMPCODE | CREATE DUMPCODE |
| DUMPDS | INQUIRE DUMPDS
SET DUMPDS |
| ENQMODEL | CREATE ENQMODEL
INQUIRE ENQMODEL SET ENQMODEL |
| EPADAPTER | INQUIRE EPADAPTER
1 SET EPADAPTER |
| EPADAPTERSET | INQUIRE EPADAPTERSET
1 SET EPADAPTERSET |
| EPADAPTINSET | INQUIRE EPADAPTINSET
1 |
| EVENTBINDING | INQUIRE EVENTBINDING
1 SET EVENTBINDING |
| EVENTPROCESS | INQUIRE EVENTPROCESS
SET EVENTPROCESS |
| EXCI | INQUIRE EXCI |
| EXITPROGRAM | DISABLE PROGRAM
ENABLE PROGRAM EXTRACT EXIT RESYNC ENTRYNAME INQUIRE EXITPROGRAM |
| FEPIRESOURCE | Certain FEPI commands |
| FILE | CREATE FILE
DISCARD FILE INQUIRE FILE SET FILE |
| HOST | INQUIRE HOST
SET HOST |
| IPCONN | CREATE IPCONN
DISCARD IPCONN INQUIRE IPCONN SET IPCONN |
| IRC | INQUIRE IRC
SET IRC |
| JOURNALMODEL | CEMT INQUIRE JMODEL
CREATE JOURNALMODEL DISCARD JOURNALMODEL INQUIRE JOURNALMODEL |
| JOURNALNAME | INQUIRE JOURNALNAME
SET JOURNALNAME |
| JVMENDPOINT |
INQUIRE JVMENDPOINT
SET JVMENDPOINT |
| JVMSERVER | CREATE JVMSERVER
DISCARD JVMSERVER INQUIRE JVMSERVER PERFORM JVMSERVER SET JVMSERVER |
| LIBRARY | CREATE LIBRARY
1 DISCARD LIBRARY INQUIRE LIBRARY SET LIBRARY |
| LINE | CEMT INQUIRE LINE
CEMT SET LINE |
| LSRPOOL | CREATE LSRPOOL |
| MAPSET | CREATE MAPSET |
| MODENAME | INQUIRE MODENAME
SET MODENAME |
| MONITOR | INQUIRE MONITOR
SET MONITOR |
| MQCONN | CREATE MQCONN
DISCARD MQCONN INQUIRE MQCONN SET MQCONN |
| MQMON |
CREATE MQMONITOR
DISCARD MQMONITOR INQUIRE MQMONITOR SET MQMONITOR |
| MVSTCB | COLLECT STATISTICS
INQUIRE MVSTCB |
| NODEJSAPP | INQUIRE NODEJSAPP 1 |
| OSGIBUNDLE | INQUIRE OSGIBUNDLE 1 |
| OSGISERVICE | INQUIRE OSGISERVICE 1 |
| 6.3 OTEL |
CEMT INQUIRE OTEL
CEMT SET OTEL INQUIRE OTEL SET OTEL |
| PARTITIONSET | CREATE PARTITIONSET |
| PARTNER | CREATE PARTNER
DISCARD PARTNER INQUIRE PARTNER |
| PIPELINE | CREATE PIPELINE
DISCARD PIPELINE INQUIRE PIPELINE PERFORM PIPELINE SET PIPELINE |
| POLICY | INQUIRE POLICY
1 |
| POLICYRULE | INQUIRE POLICYRULE
1 |
| PROCESSTYPE | CEMT INQUIRE PROCESSTYPE
CEMT SET PROCESSTYPE CREATE PROCESSTYPE DISCARD PROCESSTYPE |
| PROFILE | CREATE PROFILE
DISCARD PROFILE INQUIRE PROFILE |
| PROGRAM | CREATE PROGRAM
1 DISCARD PROGRAM INQUIRE PROGRAM SET PROGRAM SET PROGRAM REPLICATION SET PROGRAM REPLICATION has extra command security checking beyond SET PROGRAM. |
| REQID | INQUIRE REQID |
| RESETTIME | PERFORM RESETTIME |
| RRMS | INQUIRE RRMS |
| SECURITY | 6.2 and later INQUIRE SECDISCOVERY INQUIRE SECRECORDING 6.2 and later PERFORM SECDISCOVERY PERFORM SECURITY REBUILD PERFORM SSL REBUILD 6.2 and later SET SECDISCOVERY SET SECRECORDING |
| SESSIONS | CREATE SESSIONS |
| SHUTDOWN | PERFORM SHUTDOWN Be particularly cautious when your authorize access to these and any other CICS commands that include a SHUTDOWN option. |
| STATISTICS | COLLECT STATISTICS
EXTRACT STATISTICS PERFORM STATISTICS RECORD INQUIRE STATISTICS SET STATISTICS |
| STORAGE |
INQUIRE STORAGE
INQUIRE STORAGE64 |
| STREAMNAME | INQUIRE STREAMNAME |
| SUBPOOL | INQUIRE SUBPOOL |
| SYSDUMPCODE | INQUIRE SYSDUMPCODE
SET SYSDUMPCODE |
| SYSTEM | INQUIRE SYSTEM
SET SYSTEM INQUIRE FEATUREKEY |
| TASK | INQUIRE TASK
SET TASK |
| TCLASS | CREATE TRANCLASS
DISCARD TRANCLASS INQUIRE TRANCLASS SET TRANCLASS INQUIRE TCLASS SET TCLASS |
| TCPIP | INQUIRE TCPIP
SET TCPIP |
| TCPIPSERVICE | CREATE TCPIPSERVICE
DISCARD TCPIPSERVICE INQUIRE TCPIPSERVICE SET TCPIPSERVICE |
| TDQUEUE | CREATE TDQUEUE
DISCARD TDQUEUE INQUIRE TDQUEUE SET TDQUEUE |
| TEMPSTORAGE | INQUIRE TEMPSTORAGE
SET TEMPSTORAGE |
| TERMINAL | INQUIRE NETNAME
2 SET NETNAME CREATE TERMINAL DISCARD TERMINAL INQUIRE TERMINAL SET TERMINAL |
| TRACEDEST | INQUIRE TRACEDEST
SET TRACEDEST |
| TRACEFLAG | INQUIRE TRACEFLAG
SET TRACEFLAG |
| TRACETYPE | INQUIRE TRACETYPE
SET TRACETYPE |
| TRANDUMPCODE | INQUIRE TRANDUMPCODE
SET TRANDUMPCODE |
| TRANSACTION | CREATE TRANSACTION
1 DISCARD TRANSACTION INQUIRE TRANSACTION SET TRANSACTION |
| TSMODEL | CREATE TSMODEL
DISCARD TSMODEL INQUIRE TSMODEL |
| TSPOOL | INQUIRE TSPOOL |
| TSQUEUE | INQUIRE TSQUEUE |
| TSQNAME | INQUIRE TSQNAME
SET TSQNAME |
| TYPETERM | CREATE TYPETERM |
| UOW | INQUIRE UOW
SET UOW |
| UOWDSNFAIL | INQUIRE UOWDSNFAIL |
| UOWENQ | INQUIRE UOWENQ |
| UOWLINK | SET UOWLINK
INQUIRE UOWLINK |
| URIMAP | CREATE URIMAP
1 DISCARD URIMAP INQUIRE URIMAP SET URIMAP |
| VTAM® | INQUIRE VTAM
SET VTAM |
| WEB | INQUIRE WEB
SET WEB |
| WEBSERVICE | CREATE WEBSERVICE
DISCARD WEBSERVICE INQUIRE WEBSERVICE SET WEBSERVICE |
| WLMHEALTH |
INQUIRE WLMHEALTH
SET WLMHEALTH |
| XMLTRANSFORM | INQUIRE XMLTRANSFORM
SET XMLTRANSFORM |
Notes:
- Bundle command security applies when you use SPI commands to perform an action on a BUNDLE resource, and in that process you install, enable, disable, or discard a dynamically generated resource of this type that was defined in the CICS bundle. No CICS command security applies when you install, enable, disable, or discard a dynamically generated resource of this type through an application or platform. For more information, see Security for bundles.
- 6.2 and later
For INQUIRE TERMINAL,
INQUIRE NETNAME, and SET TERMINAL, command security checking
is not performed if the task or program that issues the command was started or attached to the same
terminal that is being inquired or modified by the command. This is because resource security
checking was already performed on the terminal when the program or task was started or attached to
the terminal. The following options are exceptions, where the command security checking is still performed:
- Browsing options (START, NEXT, and END) on INQUIRE TERMINAL or INQUIRE NETNAME
- Tracing options (EXITTRACING, TRACING, and ZCPTRACING), the naming option (OPERID), and the purging option (PURGETYPE) on SET TERMINAL
Resource profile examples: command security checking
Define resource profiles to RACF, with access lists as required, by using the resource names in Table 1 as the profile names. Alternatively, you can create resource group profiles in the VCICSCMD class.
In the following example, the RDEFINE command defines a profile that is named
CMDSAMP. The commands that are protected by this profile are specified on the ADDMEM operand. The
PERMIT command allows a group of users to issue the commands for INQUIRE:
RDEFINE VCICSCMD CMDSAMP UACC(NONE)
NOTIFY(sys_admin_userid)
ADDMEM(AUTINSTMODEL, AUTOINSTALL, CONNECTION,
DSNAME, TRANSACTION, TRANDUMPCODE, VTAM)
PERMIT CMDSAMP CLASS(VCICSCMD) ID(operator_group) ACCESS(READ)The second example defines a profile that is called CMDSAMP1 with the same commands in the ADDMEM
operand, as in the previous example. The PERMIT command allows a group of users
to issue PERFORM, SET, and DISCARD against these commands:
RDEFINE VCICSCMD CMDSAMP1 UACC(NONE)
NOTIFY(sys_admin_userid)
ADDMEM(AUTINSTMODEL, AUTOINSTALL, CONNECTION,
DSNAME, TRANSACTION, TRANDUMPCODE, VTAM)
PERMIT CMDSAMP1 CLASS(VCICSCMD) ID(op_group_2) ACCESS(UPDATE)Users require the access levels that are shown in Resource and command check cross-reference.