Security for platforms and applications

You can secure resources for applications that are deployed on platforms by creating RACF® security profiles for CICSPlex® SM to cover platforms and applications in a CICSplex.

Security for platforms and applications is set up in a similar way to security for other CICSPlex SM components. You control access to a specific set of views (and their associated action commands) by identifying the set in a security profile. With these security profiles, you can give users authority to install, enable or disable, make available or unavailable, inquire on, or discard platforms and applications, and ensure that unauthorized users cannot create and administer these resources.

When you give a user authority to perform an action on a platform or application, you also give them authority to perform the same action on the dynamically generated resources for the platform or application. For example, a user who has authority to enable an application also has authority to enable the CICS® bundles for the application that were installed in CICS regions in all the platforms in the CICSplex. CICS command and resource security checks, and simulated CICS security checking in CICSPlex SM, are not carried out when you operate on CICS bundles through an application or platform.

You can secure a platform and its deployed applications by setting up security profiles with the following function and type combinations:

CLOUD.DEF.context: This security profile covers the PLATDEF and APPLDEF resource tables, which contain the definitions for platforms and applications. context is the specific or generic name of the CICSplex that is covered by the security profile.
Users with UPDATE access for this security profile can create, update, and remove definitions for platforms and applications in the CICSPlex SM data repository. Users with READ access can view those definitions in the CICSPlex SM data repository.
CLOUD.PLATFORM.context: This security profile covers the installation of PLATDEF resources and operations on PLATFORM resources. It also allows users to view management parts (MGMTPART resources). context is the specific or generic name of the CICSplex that is covered by the security profile.
Users with ALTER access for this security profile can install platforms in the CICSplex and discard them. (To install a platform, users also need READ access for the CLOUD.DEF profile that covers the PLATDEF resource.) Users with UPDATE access can enable and disable platforms. Users with UPDATE access can also add CICS regions to region types in the platform and remove CICS regions from region types in the platform. Users with READ access can view PLATFORM resources and MGMTPART resources. These permissions apply for all platforms that exist in the CICSplex.
CLOUD.APPLICATION.context: This security profile covers the installation of APPLDEF resources and operations on APPLCTN resources. context is the specific or generic name of the CICSplex that is covered by the security profile.
Users with ALTER access for this security profile can install applications in the CICSplex and discard them. (To install an application, users also need READ access for the CLOUD.DEF profile that covers the APPLDEF resource.) Users with UPDATE access can enable and disable applications and make them available or unavailable. Users with READ access can view APPLCTN resources. These permissions apply for all applications in all platforms that exist in the CICSplex. If you require different security permissions for certain applications, use a different CICSplex to host the platform where you deploy the application.

Note: These security profiles are only checked in the maintenance point CMAS. Security checks are reported by message EYUCR0009I in the EYULOG of the maintenance point CMAS. To receive message EYUCR0009I for violations you must set the CICSPlex SM system parameter (EYUPARM) SECLOGMSG to YES. For more information about SECLOGMSG, see CICSPlex SM system parameters.

Although the CLOUD security profiles cover actions on the dynamically generated resources for the platform or application, users may still carry out a limited set of actions directly on individual resources in the CICSplex and CICS regions where they are installed:

You can modify the CICSPlex SM topology definition (CSYSDEF, or CICS system definition) for a CICS region that is part of a platform. Attribute values that you specified at the region type level are locked and cannot be changed, but other attribute values can be changed.
You can make available or unavailable, enable or disable, or inquire on, a BUNDLE resource that was dynamically created when you installed a platform or application. You cannot discard an individual CICS bundle directly if it was created when you installed a platform or application.
You can inquire on a dynamically created resource, such as a PROGRAM resource, that was defined inside a CICS bundle and created when you installed a platform or application. You cannot enable, disable, or discard these resources directly if they were created when you installed a platform or application.

CICS command and resource security checks, and simulated CICS security checking in CICSPlex SM, do apply when you perform an action directly on a CICS region that is part of a platform, or on an individual CICS bundle, or a resource defined in a CICS bundle, that was created when you installed a platform or application.

A TOPOLOGY.DEF.context security profile covers actions on the CICSPlex SM topology definitions for individual CICS regions that are part of a platform. context is the specific or generic name of the CICSplex that is covered by the security profile. Users with UPDATE access can modify the CSYSDEF for a CICS region that is part of a platform, with the exception of attribute values that are locked by the platform itself.
CICS bundles created when you install a platform or application have a unique generated name beginning with the $ character. To provide security for actions on individual CICS bundles that were dynamically created in this way, you can set up a security profile specifying the BUNDLE resource type and the resource name $*. Users with UPDATE access for BUNDLE.$* can make available or unavailable, or enable or disable, BUNDLE resources created for platforms and applications, and users with READ access can inquire on those BUNDLE resources.

If you apply security measures to individual PROGRAM resources, for applications that are deployed on platforms, secure the programs that are declared as application entry points, but do not secure other programs in the applications. The security settings that you specify for a program that is part of an application deployed on a platform apply to both public and private programs, and do not take into account the version of the application. Programs that are declared as an application entry point must have a unique PROGRAM resource name in your environment. However, if you secure programs that run at a lower level in the application, programs with the same names might be running in different applications, which can lead to unforeseen consequences. In this situation, a user might have permission to access a program that is declared as an application entry point, but not have permission to access a program that runs at a lower level in the application, because the security settings from another instance of the program name are in effect. Consider the security measures that you apply to a program that is declared as an application entry point program, as applying to the whole application.

If you used CICS bundles in earlier CICS releases, check the security permissions that you gave to users for those bundles. Depending on the way in which you set up security for CICS bundles, users with authority to take actions on individual CICS bundles might now be able to act on resources that are dynamically created as part of the installation of a bundle. Ensure that the levels of authority for BUNDLE resources are still appropriate.

Table 1 summarizes the security checks that apply to actions performed on a platform, an application, an individual CICS bundle that was dynamically created when you installed a platform or application, or a resource defined in a CICS bundle for a platform or application.

Table 1. Security checks for operations on platforms, applications, and generated CICS bundles
Operation	Platforms, including their CICS bundles	Applications, including their CICS bundles	Dynamically created CICS bundles	Resources defined in dynamically created CICS bundles
Define	CLOUD.DEF profile (UPDATE, or READ to view definitions); also TOPOLOGY.DEF profile (UPDATE to modify individual CICS region CSYSDEF after platform install)	CLOUD.DEF profile (UPDATE, or READ to view definitions)	Cannot manage resource definitions individually	Cannot manage resource definitions individually
Install	CLOUD.PLATFORM profile (ALTER) and CLOUD.DEF profile (READ)	CLOUD.APPLICATION profile (ALTER) and CLOUD.DEF profile (READ)	Cannot install individually	Cannot install individually
Enable or disable	CLOUD.PLATFORM profile (UPDATE)	CLOUD.APPLICATION profile (UPDATE)	CICS command and resource security, and simulated CICS security checking in CICSPlex SM; use BUNDLE.$* profile	Cannot enable or disable individually
Make available or unavailable	Not applicable	CLOUD.APPLICATION profile (UPDATE)	CICS command and resource security, and simulated CICS security checking in CICSPlex SM; use BUNDLE.$* profile	Cannot make available or unavailable individually
Inquire	CLOUD.PLATFORM profile (READ); also allows viewing of management parts	CLOUD.APPLICATION profile (READ)	CICS command and resource security, and simulated CICS security checking in CICSPlex SM; use BUNDLE.$* profile	CICS command and resource security, and simulated CICS security checking in CICSPlex SM
Discard	CLOUD.PLATFORM profile (ALTER)	CLOUD.APPLICATION profile (ALTER)	Cannot discard individually	Cannot discard individually

For more information on setting up security for CICSPlex SM and creating security profiles, see Implementing CICSPlex SM security.