CICS resources subject to command security checking
For transaction and resource security checking, you identify the resources to RACF® using the identifiers that you have assigned to them; for example, file names, queue names, and transaction names. However, in the case of command security, the resource identifiers are all predefined by CICS®, and you use these predefined names when defining resource profiles to RACF.
The full list of resource identifiers that are subject to command security checking with the associated commands is shown in Table 1. Most of these commands are common to both the CEMT and EXEC CICS interfaces; commands that are specific to CEMT have the CEMT prefix.
If you use prefixing, the value specified by the SECPRFX SIT parameter must be
prefixed to the command resource name.
| Resource identifier | Related CICS commands |
|---|---|
| ASSOCIATION | INQUIRE ASSOCIATION |
| ATOMSERVICE | CREATE ATOMSERVICE
DISCARD ATOMSERVICE INQUIRE ATOMSERVICE SET ATOMSERVICE |
| AUTINSTMODEL | DISCARD AUTINSTMODEL
INQUIRE AUTINSTMODEL |
| AUTOINSTALL | INQUIRE AUTOINSTALL
SET AUTOINSTALL |
| BRFACILITY | INQUIRE BRFACILITY
SET BRFACILITY |
| BUNDLE | CREATE BUNDLE
DISCARD BUNDLE INQUIRE BUNDLE SET BUNDLE |
| BUNDLEPART | INQUIRE BUNDLEPART |
| CAPDATAPRED | INQUIRE CAPDATAPRED
|
| CAPINFOSRCE | INQUIRE CAPINFOSRCE
|
| CAPOPTPRED | INQUIRE CAPOPTPRED
|
| CAPTURESPEC | INQUIRE CAPTURESPEC
|
| CFDTPOOL | INQUIRE CFDTPOOL |
| CONNECTION | CREATE CONNECTION
DISCARD CONNECTION INQUIRE CONNECTION SET CONNECTION |
| CSD | CSD ADD
CSD ALTER CSD APPEND CSD COPY CSD DEFINE CSD DELETE CSD DISCONNECT CSD ENDBRGROUP CSD ENDBRLIST CSD ENDBRRSRCE CSD GETNEXTGROUP CSD GETNEXTLIST CSD GETNEXTRSRCE CSD INQUIREGROUP CSD INQUIRELIST CSD INQUIRERSRCE CSD INSTALL CSD LOCK CSD REMOVE CSD RENAME CSD STARTBRGROUP CSD STARTBRLIST CSD STARTBRRSRCE CSD UNLOCK CSD USERDEFINE |
| DB2CONN | CREATE DB2CONN
DISCARD DB2CONN INQUIRE DB2CONN SET DB2CONN |
| DB2ENTRY | CREATE DB2ENTRY
DISCARD DB2ENTRY INQUIRE DB2ENTRY SET DB2ENTRY |
| DB2TRAN | CREATE DB2TRAN
DISCARD DB2TRAN INQUIRE DB2TRAN SET DB2TRAN |
| DELETSHIPPED | INQUIRE DELETSHIPPED
PERFORM DELETSHIPPED SET DELETSHIPPED |
| DISPATCHER | INQUIRE DISPATCHER
SET DISPATCHER |
| DOCTEMPLATE | CREATE DOCTEMPLATE
DISCARD DOCTEMPLATE INQUIRE DOCTEMPLATE SET DOCTEMPLATE |
| DSNAME | INQUIRE DSNAME
SET DSNAME |
| DUMP | CEMT PERFORM SNAP
PERFORM DUMP |
| DUMPCODE | CREATE DUMPCODE |
| DUMPDS | INQUIRE DUMPDS
SET DUMPDS |
| ENQMODEL | CREATE ENQMODEL
INQUIRE ENQMODEL SET ENQMODEL |
| EPADAPTER | INQUIRE EPADAPTER
SET EPADAPTER Bundle command security applies when you use SPI commands to perform an action on a BUNDLE resource, and in that process you install, enable, disable, or discard a dynamically generated resource of this type that was defined in the CICS bundle. No CICS command security applies when you install, enable, disable, or discard a dynamically generated resource of this type through an application or platform. For more information, see Security for bundles. |
| EPADAPTERSET | INQUIRE EPADAPTERSET
SET EPADAPTERSET Bundle command security applies when you use SPI commands to perform an action on a BUNDLE resource, and in that process you install, enable, disable, or discard a dynamically generated resource of this type that was defined in the CICS bundle. No CICS command security applies when you install, enable, disable, or discard a dynamically generated resource of this type through an application or platform. For more information, see Security for bundles. |
| EPADAPTINSET | INQUIRE EPADAPTINSET
Bundle command security applies when you use SPI commands to perform an action on a BUNDLE resource, and in that process you install, enable, disable, or discard a dynamically generated resource of this type that was defined in the CICS bundle. No CICS command security applies when you install, enable, disable, or discard a dynamically generated resource of this type through an application or platform. For more information, see Security for bundles. |
| EVENTBINDING | INQUIRE EVENTBINDING
SET EVENTBINDING Bundle command security applies when you use SPI commands to perform an action on a BUNDLE resource, and in that process you install, enable, disable, or discard a dynamically generated resource of this type that was defined in the CICS bundle. No CICS command security applies when you install, enable, disable, or discard a dynamically generated resource of this type through an application or platform. For more information, see Security for bundles. |
| EVENTPROCESS | INQUIRE EVENTPROCESS
SET EVENTPROCESS |
| EXCI | INQUIRE EXCI |
| EXITPROGRAM | DISABLE PROGRAM
ENABLE PROGRAM EXTRACT EXIT RESYNC ENTRYNAME INQUIRE EXITPROGRAM |
| FEPIRESOURCE | Certain FEPI commands |
| FILE | CREATE FILE
DISCARD FILE INQUIRE FILE SET FILE |
| HOST | INQUIRE HOST
SET HOST |
| IPCONN | CREATE IPCONN
DISCARD IPCONN INQUIRE IPCONN SET IPCONN |
| IRC | INQUIRE IRC
SET IRC |
| JOURNALMODEL | CEMT INQUIRE JMODEL
CREATE JOURNALMODEL DISCARD JOURNALMODEL INQUIRE JOURNALMODEL |
| JOURNALNAME | INQUIRE JOURNALNAME
SET JOURNALNAME |
| JVMENDPOINT |
INQUIRE JVMENDPOINT
SET JVMENDPOINT |
| JVMSERVER | CREATE JVMSERVER
DISCARD JVMSERVER INQUIRE JVMSERVER PERFORM JVMSERVER SET JVMSERVER |
| LIBRARY | CREATE LIBRARY
DISCARD LIBRARY INQUIRE LIBRARY SET LIBRARY Bundle command security applies when you use SPI commands to perform an action on a BUNDLE resource, and in that process you install, enable, disable, or discard a dynamically generated resource of this type that was defined in the CICS bundle. No CICS command security applies when you install, enable, disable, or discard a dynamically generated resource of this type through an application or platform. For more information, see Security for bundles. |
| LINE | CEMT INQUIRE LINE
CEMT SET LINE |
| LSRPOOL | CREATE LSRPOOL |
| MAPSET | CREATE MAPSET |
| MODENAME | INQUIRE MODENAME
SET MODENAME |
| MONITOR | INQUIRE MONITOR
SET MONITOR |
| MQCONN | CREATE MQCONN
DISCARD MQCONN INQUIRE MQCONN SET MQCONN |
| MQMON |
CREATE MQMONITOR
DISCARD MQMONITOR INQUIRE MQMONITOR SET MQMONITOR |
| MVSTCB | COLLECT STATISTICS
INQUIRE MVSTCB |
| NODEJSAPP | INQUIRE NODEJSAPP Bundle command security applies when you use SPI commands to perform an action on a BUNDLE resource, and in that process you install, enable, disable, or discard a dynamically generated resource of this type that was defined in the CICS bundle. No CICS command security applies when you install, enable, disable, or discard a dynamically generated resource of this type through an application or platform. For more information, see Security for bundles. |
| OSGIBUNDLE | INQUIRE OSGIBUNDLE Bundle command security applies when you use SPI commands to perform an action on a BUNDLE resource, and in that process you install, enable, disable, or discard a dynamically generated resource of this type that was defined in the CICS bundle. No CICS command security applies when you install, enable, disable, or discard a dynamically generated resource of this type through an application or platform. For more information, see Security for bundles. |
| OSGISERVICE | INQUIRE OSGISERVICE Bundle command security applies when you use SPI commands to perform an action on a BUNDLE resource, and in that process you install, enable, disable, or discard a dynamically generated resource of this type that was defined in the CICS bundle. No CICS command security applies when you install, enable, disable, or discard a dynamically generated resource of this type through an application or platform. For more information, see Security for bundles. |
| PARTITIONSET | CREATE PARTITIONSET |
| PARTNER | CREATE PARTNER
DISCARD PARTNER INQUIRE PARTNER |
| PIPELINE | CREATE PIPELINE
DISCARD PIPELINE INQUIRE PIPELINE PERFORM PIPELINE SET PIPELINE |
| PROCESSTYPE | CEMT INQUIRE PROCESSTYPE
CEMT SET PROCESSTYPE CREATE PROCESSTYPE DISCARD PROCESSTYPE |
| PROFILE | CREATE PROFILE
DISCARD PROFILE INQUIRE PROFILE |
| PROGRAM |
CREATE PROGRAM
DISCARD PROGRAM INQUIRE PROGRAM SET PROGRAM Bundle command security applies when you use SPI commands to perform an action on a BUNDLE resource, and in that process you install, enable, disable, or discard a dynamically generated resource of this type that was defined in the CICS bundle. No CICS command security applies when you install, enable, disable, or discard a dynamically generated resource of this type through an application or platform. For more information, see Security for bundles. SET PROGRAM REPLICATION. SET PROGRAM REPLICATION has additional command security checking beyond SET PROGRAM. For more information, see Resource and command check cross-reference. |
| REQID | INQUIRE REQID |
| RESETTIME | PERFORM RESETTIME. See CEMT considerations. |
| RRMS | INQUIRE RRMS |
| SECURITY | PERFORM SECURITY REBUILD
PERFORM SSL REBUILD |
| SESSIONS | CREATE SESSIONS |
| SHUTDOWN | PERFORM SHUTDOWN. Be particularly cautious when authorizing access to these and any other CICS commands that include a SHUTDOWN option. |
| STATISTICS | COLLECT STATISTICS
EXTRACT STATISTICS PERFORM STATISTICS RECORD INQUIRE STATISTICS SET STATISTICS |
| STORAGE | INQUIRE STORAGE |
| STREAMNAME | INQUIRE STREAMNAME |
| SUBPOOL | INQUIRE SUBPOOL |
| SYSDUMPCODE | |
| SYSTEM | INQUIRE SYSTEM
SET SYSTEM INQUIRE FEATUREKEY |
| TASK | INQUIRE TASK
SET TASK |
| TCLASS | CREATE TRANCLASS
DISCARD TRANCLASS INQUIRE TRANCLASS SET TRANCLASS INQUIRE TCLASS SET TCLASS |
| TCPIP | INQUIRE TCPIP
SET TCPIP |
| TCPIPSERVICE | CREATE TCPIPSERVICE
DISCARD TCPIPSERVICE INQUIRE TCPIPSERVICE SET TCPIPSERVICE |
| TDQUEUE | CREATE TDQUEUE
DISCARD TDQUEUE INQUIRE TDQUEUE SET TDQUEUE |
| TEMPSTORAGE | INQUIRE TEMPSTORAGE
SET TEMPSTORAGE |
| TERMINAL | INQUIRE NETNAME
SET NETNAME CREATE TERMINAL DISCARD TERMINAL INQUIRE TERMINAL SET TERMINAL |
| TRACEDEST | INQUIRE TRACEDEST
SET TRACEDEST |
| TRACEFLAG | INQUIRE TRACEFLAG
SET TRACEFLAG |
| TRACETYPE | INQUIRE TRACETYPE
SET TRACETYPE |
| TRANDUMPCODE | |
| TRANSACTION | CREATE TRANSACTION
DISCARD TRANSACTION INQUIRE TRANSACTION SET TRANSACTION Bundle command security applies when you use SPI commands to perform an action on a BUNDLE resource, and in that process you install, enable, disable, or discard a dynamically generated resource of this type that was defined in the CICS bundle. No CICS command security applies when you install, enable, disable, or discard a dynamically generated resource of this type through an application or platform. For more information, see Security for bundles. |
| TSMODEL | CREATE TSMODEL
DISCARD TSMODEL INQUIRE TSMODEL |
| TSPOOL | INQUIRE TSPOOL |
| TSQUEUE | INQUIRE TSQUEUE |
| TSQNAME | INQUIRE TSQNAME
SET TSQNAME |
| TYPETERM | CREATE TYPETERM |
| UOW | INQUIRE UOW
SET UOW |
| UOWDSNFAIL | INQUIRE UOWDSNFAIL |
| UOWENQ | INQUIRE UOWENQ |
| UOWLINK | SET UOWLINK
INQUIRE UOWLINK |
| URIMAP | CREATE URIMAP
DISCARD URIMAP INQUIRE URIMAP SET URIMAP Bundle command security applies when you use SPI commands to perform an action on a BUNDLE resource, and in that process you install, enable, disable, or discard a dynamically generated resource of this type that was defined in the CICS bundle. No CICS command security applies when you install, enable, disable, or discard a dynamically generated resource of this type through an application or platform. For more information, see Security for bundles. |
| VTAM® | INQUIRE VTAM
SET VTAM |
| WEB | INQUIRE WEB
SET WEB |
| WEBSERVICE | CREATE WEBSERVICE
DISCARD WEBSERVICE INQUIRE WEBSERVICE SET WEBSERVICE |
| WLMHEALTH |
INQUIRE WLMHEALTH
SET WLMHEALTH |
| XMLTRANSFORM | INQUIRE XMLTRANSFORM
SET XMLTRANSFORM |
Resource profile examples
If you are running CICS with command security, define resource profiles to RACF, with access lists as appropriate, using the resource names in Table 1 as the profile names. Alternatively, you can create resource group profiles in the VCICSCMD class.
In the following example, the RDEFINE command
defines a profile named CMDSAMP. The commands that are protected by
this profile are specified on the ADDMEM operand. The PERMIT command
allows a group of users to issue the commands for INQUIRE:
RDEFINE VCICSCMD CMDSAMP UACC(NONE)
NOTIFY(sys_admin_userid)
ADDMEM(AUTINSTMODEL, AUTOINSTALL, CONNECTION,
DSNAME, TRANSACTION, TRANDUMPCODE, VTAM)
PERMIT CMDSAMP CLASS(VCICSCMD) ID(operator_group) ACCESS(READ)The second example defines a profile called CMDSAMP1 with
the same commands in the ADDMEM operand, as in the previous example.
The PERMIT command allows a group of users to issue
PERFORM, SET, and DISCARD against these commands:
RDEFINE VCICSCMD CMDSAMP1 UACC(NONE)
NOTIFY(sys_admin_userid)
ADDMEM(AUTINSTMODEL, AUTOINSTALL, CONNECTION,
DSNAME, TRANSACTION, TRANDUMPCODE, VTAM)
PERMIT CMDSAMP1 CLASS(VCICSCMD) ID(op_group_2) ACCESS(UPDATE)If you are running CICS with SEC=YES, users require the access levels shown in Resource and command check cross-reference.