CSL OM command security

OM command security is optionally performed during command processing.

Command security allows:

The CMDSEC= parameter is available on the OM startup procedure (CSLOM), the OM initialization PROCLIB member data set (CSLOIxxx), and the DFSCGxxx PROCLIB member data set. When it is issued as part of the OM startup procedure, it applies to all IMS commands, type-1 and type-2. When it is issued using the DFSCGxxx PROCLIB member data set, it applies only to type-1 commands entered through OM. The differences in OM and IMS security are described in the following table.
Table 1. Comparing OM and IMS security
Security method N A E R
OM Execution Parameter (CSLOM and CSLOIxxx) No authorization checking is performed. This is the default. Calls both RACF® and the CSL OM Security user exit routine for command authorization. Calls the CSL OM Security user exit routine for command authorization. Calls RACF for command authorization. Commands are part of the OPERCMDS resource class.
DFSCGxxx PROCLIB member data set No authorization checking is performed. This is the default. OM might perform command authorization. Calls both RACF and the IMS Command Authorization Exit routine (DFSCCMD0) for command authorization. Calls the IMS Command Authorization Exit routine (DFSCCMD0) for command authorization. Calls RACF for command authorization. Commands are part of the CIMS resource class.
Recommendation: Use OM command security rather than IMS command security.

RACF access authorities (READ or UPDATE) and resource names for all commands supported through the OM API are described in IMS commands, RACF access authorities and resource names table. The RACF authorities indicate the access authority with which the command was registered.

Commands are registered to OM with the CSLOMBLD request. The access authority on the RACF PERMIT command must match the access authority with which the command was registered. For more information on registering commands with CSLOMBLD, see IMS Version 15 System Programming APIs.