Exempting users and resources from security checking

There might be certain individuals who do not require security checking. There might also be certain CICS resources that are sufficiently protected by CICSPlex® SM profiles and, therefore, do not need to be involved in security checking.

You can exempt these individuals and resources from simulated CICS security checking using the CICSPlex SM CPSMXMP resource class. Exemption bypasses only the simulated CICS® security checks, not the basic CICSPlex SM resource checks.

For example, if a user does not have RACF® authority to issue the CICS command CEMT INQ FILE, you can enable that user to achieve the same result by creating a profile in the exemption class that allows the user to issue the equivalent CICSPlex SM command LOCFILE.

To create exemption profiles:

1. Decide which resource you want to exempt and specify this on the PERMIT command. Use the resource name format described in Specifying CICSPlex SM resource names in profiles.
2. Specify the class name CPSMXMP. This RACF class controls exemption from simulated security checking.
3. Specify the type of access that you require.
   • If you do not want to bypass security checking, specify ACCESS(NONE).
   • If you want to bypass security checking of INQUIRE level commands, specify ACCESS(READ).
   • If you want to bypass security checking of INQUIRE, SET, and PERFORM level commands, specify ACCESS(UPDATE).
   • If you want to bypass security checking of all commands, including DISCARD level commands, specify ACCESS(ALTER).
4. Specify the user or the group that you want the exemptions to apply to.

  PERMIT  MONITOR.TERMINAL.EYUPLX01.EYUMAS1A  /* Resource name    */+
          CLASS(CPSMXMP)                      /* Class name       */+
          ACCESS(UPDATE)                      /* Access           */+
          ID(EYUGRP2)                         /* User or group    */+
                                              /*  granted access  */