You can secure resources for applications that are deployed on platforms by creating RACF® security profiles for CICSPlex® SM in the CPSMOBJ class to cover platforms and applications in a CICSplex.
Security for platforms and applications is set up in a similar way to security for other CICSPlex SM components. You control access to a specific set of views (and their associated action commands) by identifying the set in a security profile. With these security profiles, you can give users authority to install, enable or disable, inquire on, or discard platforms and applications, and ensure that unauthorized users cannot create and administer these resources.
When you give a user authority to perform an action on a platform or application, you also give them authority to perform the same action on the dynamically generated resources for the platform or application. For example, a user who has authority to enable an application also has authority to enable the CICS® bundles for the application that were installed in CICS regions in all the platforms in the CICSplex. CICS command and resource security checks, and simulated CICS security checking in CICSPlex SM, are not carried out when you operate on CICS bundles through an application or platform.
Users with UPDATE access for this security profile can create, update, and remove definitions for platforms and applications in the CICSPlex SM data repository. Users with READ access can view those definitions in the CICSPlex SM data repository.
Users with ALTER access for this security profile can install platforms in the CICSplex and discard them. (To install a platform, users also need READ access for the CLOUD.DEF profile that covers the PLATDEF resource.) Users with UPDATE access can enable and disable platforms. Users with UPDATE access can also add CICS regions to region types in the platform and remove CICS regions from region types in the platform. Users with READ access can view PLATFORM resources and MGMTPART resources. These permissions apply for all platforms that exist in the CICSplex.
Users with ALTER access for this security profile can install applications in the CICSplex and discard them. (To install an application, users also need READ access for the CLOUD.DEF profile that covers the APPLDEF resource.) Users with UPDATE access can enable and disable applications. Users with READ access can view APPLCTN resources. These permissions apply for all applications in all platforms that exist in the CICSplex. If you require different security permissions for certain applications, use a different CICSplex to host the platform where you deploy the application.
If you used CICS bundles in earlier CICS releases, check the security permissions that you gave to users for those bundles. Depending on the way in which you set up security for CICS bundles, users with authority to take actions on individual CICS bundles might now be able to act on resources that are dynamically created as part of the installation of a bundle. Ensure that the levels of authority for BUNDLE resources are still appropriate.
Operation | Platforms, including their CICS bundles | Applications, including their CICS bundles | Dynamically created CICS bundles | Resources defined in dynamically created CICS bundles |
---|---|---|---|---|
Define | CLOUD.DEF profile (UPDATE, or READ to view definitions); also TOPOLOGY.DEF profile (UPDATE to modify individual CICS region CSYSDEF after platform install) | CLOUD.DEF profile (UPDATE, or READ to view definitions) | Cannot manage resource definitions individually | Cannot manage resource definitions individually |
Install | CLOUD.PLATFORM profile (ALTER) and CLOUD.DEF profile (READ) | CLOUD.APPLICATION profile (ALTER) and CLOUD.DEF profile (READ) | Cannot install individually | Cannot install individually |
Enable or disable | CLOUD.PLATFORM profile (UPDATE) | CLOUD.APPLICATION profile (UPDATE) | CICS command and resource security, and simulated CICS security checking in CICSPlex SM; use BUNDLE.$* profile | Cannot enable or disable individually |
Inquire | CLOUD.PLATFORM profile (READ); also allows viewing of management parts | CLOUD.APPLICATION profile (READ) | CICS command and resource security, and simulated CICS security checking in CICSPlex SM; use BUNDLE.$* profile | CICS command and resource security, and simulated CICS security checking in CICSPlex SM |
Discard | CLOUD.PLATFORM profile (ALTER) | CLOUD.APPLICATION profile (ALTER) | Cannot discard individually | Cannot discard individually |
For more information on setting up security for CICSPlex SM and creating security profiles, see Implementing CICSPlex SM security.