Security for platforms and applications
You can secure resources for applications that are deployed on platforms by creating RACF® security profiles for CICSPlex® SM to cover platforms and applications in a CICSplex.
Security for platforms and applications is set up in a similar way to security for other CICSPlex SM components. You control access to a specific set of views (and their associated action commands) by identifying the set in a security profile. With these security profiles, you can give users authority to install, enable or disable, make available or unavailable, inquire on, or discard platforms and applications, and ensure that unauthorized users cannot create and administer these resources.
When you give a user authority to perform an action on a platform or application, you also give them authority to perform the same action on the dynamically generated resources for the platform or application. For example, a user who has authority to enable an application also has authority to enable the CICS® bundles for the application that were installed in CICS regions in all the platforms in the CICSplex. CICS command and resource security checks, and simulated CICS security checking in CICSPlex SM, are not carried out when you operate on CICS bundles through an application or platform.
- CLOUD.DEF.context
- This security profile covers the PLATDEF and APPLDEF resource
tables, which contain the definitions for platforms and applications. context is
the specific or generic name of the CICSplex that is covered by the
security profile.
Users with UPDATE access for this security profile can create, update, and remove definitions for platforms and applications in the CICSPlex SM data repository. Users with READ access can view those definitions in the CICSPlex SM data repository.
- CLOUD.PLATFORM.context
- This security profile covers the installation of PLATDEF resources
and operations on PLATFORM resources. It also allows users to view
management parts (MGMTPART resources). context is
the specific or generic name of the CICSplex that is covered by the
security profile.
Users with ALTER access for this security profile can install platforms in the CICSplex and discard them. (To install a platform, users also need READ access for the CLOUD.DEF profile that covers the PLATDEF resource.) Users with UPDATE access can enable and disable platforms. Users with UPDATE access can also add CICS regions to region types in the platform and remove CICS regions from region types in the platform. Users with READ access can view PLATFORM resources and MGMTPART resources. These permissions apply for all platforms that exist in the CICSplex.
- CLOUD.APPLICATION.context
- This security profile covers the installation of APPLDEF resources
and operations on APPLCTN resources. context is
the specific or generic name of the CICSplex that is covered by the
security profile.
Users with ALTER access for this security profile can install applications in the CICSplex and discard them. (To install an application, users also need READ access for the CLOUD.DEF profile that covers the APPLDEF resource.) Users with UPDATE access can enable and disable applications and make them available or unavailable. Users with READ access can view APPLCTN resources. These permissions apply for all applications in all platforms that exist in the CICSplex. If you require different security permissions for certain applications, use a different CICSplex to host the platform where you deploy the application.
- You can modify the CICSPlex SM topology definition (CSYSDEF, or CICS system definition) for a CICS region that is part of a platform. Attribute values that you specified at the region type level are locked and cannot be changed, but other attribute values can be changed.
- You can make available or unavailable, enable or disable, or inquire on, a BUNDLE resource that was dynamically created when you installed a platform or application. You cannot discard an individual CICS bundle directly if it was created when you installed a platform or application.
- You can inquire on a dynamically created resource, such as a PROGRAM resource, that was defined inside a CICS bundle and created when you installed a platform or application. You cannot enable, disable, or discard these resources directly if they were created when you installed a platform or application.
- A TOPOLOGY.DEF.context security profile covers actions on the CICSPlex SM topology definitions for individual CICS regions that are part of a platform. context is the specific or generic name of the CICSplex that is covered by the security profile. Users with UPDATE access can modify the CSYSDEF for a CICS region that is part of a platform, with the exception of attribute values that are locked by the platform itself.
- CICS bundles created when you install a platform or application have a unique generated name beginning with the $ character. To provide security for actions on individual CICS bundles that were dynamically created in this way, you can set up a security profile specifying the BUNDLE resource type and the resource name $*. Users with UPDATE access for BUNDLE.$* can make available or unavailable, or enable or disable, BUNDLE resources created for platforms and applications, and users with READ access can inquire on those BUNDLE resources.
If you apply security measures to individual PROGRAM resources, for applications that are deployed on platforms, secure the programs that are declared as application entry points, but do not secure other programs in the applications. The security settings that you specify for a program that is part of an application deployed on a platform apply to both public and private programs, and do not take into account the version of the application. Programs that are declared as an application entry point must have a unique PROGRAM resource name in your environment. However, if you secure programs that run at a lower level in the application, programs with the same names might be running in different applications, which can lead to unforeseen consequences. In this situation, a user might have permission to access a program that is declared as an application entry point, but not have permission to access a program that runs at a lower level in the application, because the security settings from another instance of the program name are in effect. Consider the security measures that you apply to a program that is declared as an application entry point program, as applying to the whole application.
If you used CICS bundles in earlier CICS releases, check the security permissions that you gave to users for those bundles. Depending on the way in which you set up security for CICS bundles, users with authority to take actions on individual CICS bundles might now be able to act on resources that are dynamically created as part of the installation of a bundle. Ensure that the levels of authority for BUNDLE resources are still appropriate.
Operation | Platforms, including their CICS bundles | Applications, including their CICS bundles | Dynamically created CICS bundles | Resources defined in dynamically created CICS bundles |
---|---|---|---|---|
Define | CLOUD.DEF profile (UPDATE, or READ to view definitions); also TOPOLOGY.DEF profile (UPDATE to modify individual CICS region CSYSDEF after platform install) | CLOUD.DEF profile (UPDATE, or READ to view definitions) | Cannot manage resource definitions individually | Cannot manage resource definitions individually |
Install | CLOUD.PLATFORM profile (ALTER) and CLOUD.DEF profile (READ) | CLOUD.APPLICATION profile (ALTER) and CLOUD.DEF profile (READ) | Cannot install individually | Cannot install individually |
Enable or disable | CLOUD.PLATFORM profile (UPDATE) | CLOUD.APPLICATION profile (UPDATE) | CICS command and resource security, and simulated CICS security checking in CICSPlex SM; use BUNDLE.$* profile | Cannot enable or disable individually |
Make available or unavailable | Not applicable | CLOUD.APPLICATION profile (UPDATE) | CICS command and resource security, and simulated CICS security checking in CICSPlex SM; use BUNDLE.$* profile | Cannot make available or unavailable individually |
Inquire | CLOUD.PLATFORM profile (READ); also allows viewing of management parts | CLOUD.APPLICATION profile (READ) | CICS command and resource security, and simulated CICS security checking in CICSPlex SM; use BUNDLE.$* profile | CICS command and resource security, and simulated CICS security checking in CICSPlex SM |
Discard | CLOUD.PLATFORM profile (ALTER) | CLOUD.APPLICATION profile (ALTER) | Cannot discard individually | Cannot discard individually |
For more information on setting up security for CICSPlex SM and creating security profiles, see Implementing CICSPlex SM security.