受命于命令安全性检查的资源
对于事务和资源安全检查,您可以识别要RACF®通过使用您分配给它们的标识符;例如文件名、队列名称和事务名称。 然而,为了命令安全,资源标识符都是由CICS®,并且在定义资源配置文件时使用这些预定义名称来RACF或者作为 RESID 值QUERY SECURITY命令。
表 1中显示了要使用关联命令进行命令安全性检查的资源标识的完整列表。 这些命令大多是 CEMT 和 EXEC CICS 接口的公共命令; 特定于 CEMT 的命令具有 CEMT 前缀。
如果使用前缀,那么必须将 SECPRFX SIT 参数指定的值作为命令资源名称的前缀。
如果你使用查询安全要查询用户对资源的访问权限,请使用资源标识符发出EXEC CICS QUERY SECURITY RESTYPE('SPCOMMAND')命令。
| 资源标识符 (RESID) | 相关 CICS 命令 |
|---|---|
| 关联 | INQUIRE ASSOCIATION
SET ASSOCIATION USERCORRDATA |
| ATOMSERVICE | CREATE ATOMSERVICE
DISCARD ATOMSERVICE INQUIRE ATOMSERVICE SET ATOMSERVICE |
| AUTINSTMODEL | DISCARD AUTINSTMODEL
INQUIRE AUTINSTMODEL |
| 自动安装 | INQUIRE AUTOINSTALL
SET AUTOINSTALL |
| 布尔设施 | INQUIRE BRFACILITY
SET BRFACILITY |
| BUNDLE | CREATE BUNDLE
DISCARD BUNDLE INQUIRE BUNDLE SET BUNDLE |
| BUNDLEPART | INQUIRE BUNDLEPART |
| CAPDATAPRED | INQUIRE CAPDATAPRED |
| CAPINFOSRCE | INQUIRE CAPINFOSRCE |
| CAPOPTPRED | INQUIRE CAPOPTPRED |
| CAPTURESPEC | INQUIRE CAPTURESPEC |
| CFDTPOOL | INQUIRE CFDTPOOL |
| CONNECTION | CREATE CONNECTION
DISCARD CONNECTION INQUIRE CONNECTION SET CONNECTION |
| CSD | CSD ADD
CSD ALTER CSD APPEND CSD COPY CSD DEFINE CSD DELETE CSD DISCONNECT CSD ENDBRGROUP CSD ENDBRLIST CSD ENDBRRSRCE CSD GETNEXTGROUP CSD GETNEXTLIST CSD GETNEXTRSRCE CSD INQUIREGROUP CSD INQUIRELIST CSD INQUIRERSRCE CSD INSTALL CSD LOCK CSD REMOVE CSD RENAME CSD STARTBRGROUP CSD STARTBRLIST CSD STARTBRRSRCE CSD UNLOCK CSD USERDEFINE |
| DB2CONN | CREATE DB2CONN
DISCARD DB2CONN INQUIRE DB2CONN SET DB2CONN |
| DB2ENTRY | CREATE DB2ENTRY
DISCARD DB2ENTRY INQUIRE DB2ENTRY SET DB2ENTRY |
| DB2TRAN | CREATE DB2TRAN
DISCARD DB2TRAN INQUIRE DB2TRAN SET DB2TRAN |
| 已删除装运 | INQUIRE DELETSHIPPED
PERFORM DELETSHIPPED SET DELETSHIPPED |
| DISPATCHER | INQUIRE DISPATCHER
SET DISPATCHER |
| DOCTEMPLATE | CREATE DOCTEMPLATE
DISCARD DOCTEMPLATE INQUIRE DOCTEMPLATE SET DOCTEMPLATE |
| DSNAME | INQUIRE DSNAME
SET DSNAME |
| DUMP | CEMT PERFORM SNAP
PERFORM DUMP |
| 转码 | CREATE DUMPCODE |
| 数据集 | INQUIRE DUMPDS
SET DUMPDS |
| ENQMODEL | CREATE ENQMODEL
INQUIRE ENQMODEL SET ENQMODEL |
| EPADAPTER | INQUIRE EPADAPTER 1 SET EPADAPTER |
| EPADAPTERSET | INQUIRE EPADAPTERSET 1 SET EPADAPTERSET |
| EPADAPTINSET | INQUIRE EPADAPTINSET 1 |
| EVENTBINDING | INQUIRE EVENTBINDING 1 SET EVENTBINDING |
| 事件处理 | INQUIRE EVENTPROCESS
SET EVENTPROCESS |
| EXCI | INQUIRE EXCI |
| 出口程序 | DISABLE PROGRAM
ENABLE PROGRAM EXTRACT EXIT RESYNC ENTRYNAME INQUIRE EXITPROGRAM |
| FEPI资源 | 某些 FEPI 命令 |
| FILE | CREATE FILE
DISCARD FILE INQUIRE FILE SET FILE |
| HOST | INQUIRE HOST
SET HOST |
| IPCONN | CREATE IPCONN
DISCARD IPCONN INQUIRE IPCONN SET IPCONN |
| IRC | INQUIRE IRC
SET IRC |
| JOURNALMODEL | CEMT INQUIRE JMODEL
CREATE JOURNALMODEL DISCARD JOURNALMODEL INQUIRE JOURNALMODEL |
| JOURNALNAME | INQUIRE JOURNALNAME
SET JOURNALNAME |
| JVMENDPOINT | INQUIRE JVMENDPOINT
SET JVMENDPOINT |
| JVMSERVER | CREATE JVMSERVER
DISCARD JVMSERVER INQUIRE JVMSERVER PERFORM JVMSERVER SET JVMSERVER |
| LIBRARY | CREATE LIBRARY 1 DISCARD LIBRARY INQUIRE LIBRARY SET LIBRARY |
| 线路 | CEMT INQUIRE LINE
CEMT SET LINE |
| LSRPOOL | CREATE LSRPOOL |
| MAPSET | CREATE MAPSET |
| MODENAME | INQUIRE MODENAME
SET MODENAME |
| MONITOR | INQUIRE MONITOR
SET MONITOR |
| MQCONN | CREATE MQCONN
DISCARD MQCONN INQUIRE MQCONN SET MQCONN |
| MQMON | CREATE MQMONITOR
DISCARD MQMONITOR INQUIRE MQMONITOR SET MQMONITOR |
| MVSTCB | COLLECT STATISTICS
INQUIRE MVSTCB |
| NODEJSAPP | INQUIRE NODEJSAPP 1 |
| OSGIBUNDLE | INQUIRE OSGIBUNDLE 1 |
| OSGISERVICE | INQUIRE OSGISERVICE 1 |
| 6.3 OTEL | CEMT INQUIRE OTEL
CEMT SET OTEL INQUIRE OTEL SET OTEL |
| PARTITIONSET | CREATE PARTITIONSET |
| PARTNER | CREATE PARTNER
DISCARD PARTNER INQUIRE PARTNER |
| PIPELINE | CREATE PIPELINE
DISCARD PIPELINE INQUIRE PIPELINE PERFORM PIPELINE SET PIPELINE |
| POLICY | INQUIRE POLICY 1 |
| 政策规则 | INQUIRE POLICYRULE 1 |
| PROCESSTYPE | CEMT INQUIRE PROCESSTYPE
CEMT SET PROCESSTYPE CREATE PROCESSTYPE DISCARD PROCESSTYPE |
| PROFILE | CREATE PROFILE
DISCARD PROFILE INQUIRE PROFILE |
| PROGRAM | CREATE PROGRAM 1 DISCARD PROGRAM INQUIRE PROGRAM SET PROGRAM SET PROGRAM REPLICATION SET PROGRAM REPLICATION 具有超出 SET PROGRAM 的额外命令安全性检查。 |
| REQID | INQUIRE REQID |
| 重置时间 | PERFORM RESETTIME |
| RRMS | INQUIRE RRMS |
| SECURITY | 6.2 及更高版本 INQUIRE SECDISCOVERY INQUIRE SECRECORDING 6.2 及更高版本 PERFORM SECDISCOVERY PERFORM SECURITY REBUILD PERFORM SSL REBUILD 6.2 及更高版本 SET SECDISCOVERY SET SECRECORDING |
| SESSIONS | CREATE SESSIONS |
| SHUTDOWN | PERFORM SHUTDOWN 当您授权访问这些命令以及包含 SHUTDOWN 选项的任何其他 CICS 命令时,请特别谨慎。 |
| STATISTICS | COLLECT STATISTICS
EXTRACT STATISTICS PERFORM STATISTICS RECORD INQUIRE STATISTICS SET STATISTICS |
| STORAGE | INQUIRE STORAGE
INQUIRE STORAGE64 |
| STREAMNAME | INQUIRE STREAMNAME |
| 子池 | INQUIRE SUBPOOL |
| SYSDUMPCODE | INQUIRE SYSDUMPCODE
SET SYSDUMPCODE |
| SYSTEM | INQUIRE SYSTEM
SET SYSTEM INQUIRE FEATUREKEY |
| TASK | INQUIRE TASK
SET TASK |
| TCLASS | CREATE TRANCLASS
DISCARD TRANCLASS INQUIRE TRANCLASS SET TRANCLASS INQUIRE TCLASS SET TCLASS |
| TCPIP | INQUIRE TCPIP
SET TCPIP |
| TCPIPSERVICE | CREATE TCPIPSERVICE
DISCARD TCPIPSERVICE INQUIRE TCPIPSERVICE SET TCPIPSERVICE |
| TDQUEUE | CREATE TDQUEUE
DISCARD TDQUEUE INQUIRE TDQUEUE SET TDQUEUE |
| TEMPSTORAGE | INQUIRE TEMPSTORAGE
SET TEMPSTORAGE |
| TERMINAL | INQUIRE NETNAME 2 SET NETNAME CREATE TERMINAL DISCARD TERMINAL INQUIRE TERMINAL SET TERMINAL |
| 跟踪目标 | INQUIRE TRACEDEST
SET TRACEDEST |
| 跟踪滞后 | INQUIRE TRACEFLAG
SET TRACEFLAG |
| TRACETYPE | INQUIRE TRACETYPE
SET TRACETYPE |
| TRANDUMPCODE | INQUIRE TRANDUMPCODE
SET TRANDUMPCODE |
| TRANSACTION | CREATE TRANSACTION 1 DISCARD TRANSACTION INQUIRE TRANSACTION SET TRANSACTION |
| TSMODEL | CREATE TSMODEL
DISCARD TSMODEL INQUIRE TSMODEL |
| 假脱机 | INQUIRE TSPOOL |
| TSQUEUE | INQUIRE TSQUEUE |
| TSQNAME | INQUIRE TSQNAME
SET TSQNAME |
| TYPETERM | CREATE TYPETERM |
| UOW | INQUIRE UOW
SET UOW |
| UOWDSNFAIL | INQUIRE UOWDSNFAIL |
| UOWENQ | INQUIRE UOWENQ |
| UOWLINK | SET UOWLINK
INQUIRE UOWLINK |
| URIMAP | CREATE URIMAP 1 DISCARD URIMAP INQUIRE URIMAP SET URIMAP |
| VTAM ® | INQUIRE VTAM
SET VTAM |
| WEB | INQUIRE WEB
SET WEB |
| WEBSERVICE | CREATE WEBSERVICE
DISCARD WEBSERVICE INQUIRE WEBSERVICE SET WEBSERVICE |
| WLMHEALTH | INQUIRE WLMHEALTH
SET WLMHEALTH |
| XMLTRANSFORM | INQUIRE XMLTRANSFORM
SET XMLTRANSFORM |
注:
- 当您使用 SPI 命令对 BUNDLE 资源执行操作,并且在该过程中安装,启用,禁用或废弃在 CICS 束中定义的动态生成的此类型资源时,束命令安全性将适用。 当您通过应用程序或平台安装,启用,禁用或废弃动态生成的此类资源时,不会应用 CICS 命令安全性。 有关更多信息,请参阅 捆绑软件的安全性。
- 6.2 后来 对于 INQUIRE TERMINAL、 INQUIRE NETNAME 和 SET TERMINAL ,如果发出命令的任务或程序已启动或连接到命令正在查询或修改的同一终端,则不执行命令安全检查。 这是因为当程序或任务启动或连接到终端时,已在终端上执行资源安全性检查。 以下选项是仍然执行命令安全性检查的异常:
- 在 INQUIRE TERMINAL 或 INQUIRE NETNAME 上浏览选项 (START, NEXT和 END)
- SET TERMINAL 上的跟踪选项 (EXIT跟踪, TRACING和 ZCP跟踪) ,命名选项 (OPERID) 和清除选项 (PURGETYPE)
资源概要文件示例: 命令安全性检查
通过使用 表 1 中的资源名称作为概要文件名称,根据需要使用访问列表向 RACF定义资源概要文件。 或者,可以在 VCICSCMD 类中创建资源组概要文件。
在以下示例中, RDEFINE 命令定义名为 CMDSAMP 的概要文件。 在 ADDMEM 操作数上指定受此概要文件保护的命令。 PERMIT 命令允许一组用户发出用于 INQUIRE 的命令:
RDEFINE VCICSCMD CMDSAMP UACC(NONE)
NOTIFY(sys_admin_userid)
ADDMEM(AUTINSTMODEL, AUTOINSTALL, CONNECTION,
DSNAME, TRANSACTION, TRANDUMPCODE, VTAM)
PERMIT CMDSAMP CLASS(VCICSCMD) ID(operator_group) ACCESS(READ)第二个示例定义了一个名为 CMDSAMP1 的概要文件,该概要文件在 ADDMEM 操作数中使用与上一个示例中相同的命令。 PERMIT 命令允许一组用户针对以下命令发出 PERFORM , SET 和 DISCARD:
RDEFINE VCICSCMD CMDSAMP1 UACC(NONE)
NOTIFY(sys_admin_userid)
ADDMEM(AUTINSTMODEL, AUTOINSTALL, CONNECTION,
DSNAME, TRANSACTION, TRANDUMPCODE, VTAM)
PERMIT CMDSAMP1 CLASS(VCICSCMD) ID(op_group_2) ACCESS(UPDATE)用户需要 资源和命令检查交叉引用中显示的访问级别。