CICS resources subject to command security checking
For transaction and resource security checking, you identify the resources to RACF® using the identifiers that you have assigned to them; for example, file names, queue names, and transaction names. However, in the case of command security, the resource identifiers are all predefined by CICS®, and you use these predefined names when defining resource profiles to RACF.
The full list of resource identifiers that are subject to command security checking with the associated commands is shown in Table 1. Most of these commands are common to both the CEMT and EXEC CICS interfaces; commands that are specific to CEMT have the CEMT preface.
| Resource identifier 1 | Related CICS commands |
|---|---|
| ASSOCIATION | INQUIRE ASSOCIATION |
| ATOMSERVICE | CREATE ATOMSERVICE
DISCARD ATOMSERVICE INQUIRE ATOMSERVICE SET ATOMSERVICE |
| AUTINSTMODEL | DISCARD AUTINSTMODEL
INQUIRE AUTINSTMODEL |
| AUTOINSTALL | INQUIRE AUTOINSTALL
SET AUTOINSTALL |
| BRFACILITY | INQUIRE BRFACILITY
SET BRFACILITY |
| BUNDLE | CREATE BUNDLE
DISCARD BUNDLE INQUIRE BUNDLE SET BUNDLE |
| BUNDLEPART | INQUIRE BUNDLEPART |
| CAPDATAPRED | INQUIRE CAPDATAPRED
|
| CAPINFOSRCE | INQUIRE CAPINFOSRCE
|
| CAPOPTPRED | INQUIRE CAPOPTPRED
|
| CAPTURESPEC | INQUIRE CAPTURESPEC
|
| CFDTPOOL | INQUIRE CFDTPOOL |
| CONNECTION | CREATE CONNECTION
DISCARD CONNECTION INQUIRE CONNECTION SET CONNECTION |
| CSD | CSD ADD
CSD ALTER CSD APPEND CSD COPY CSD DEFINE CSD DELETE CSD DISCONNECT CSD ENDBRGROUP CSD ENDBRLIST CSD ENDBRRSRCE CSD GETNEXTGROUP CSD GETNEXTLIST CSD GETNEXTRSRCE CSD INQUIREGROUP CSD INQUIRELIST CSD INQUIRERSRCE CSD INSTALL CSD LOCK CSD REMOVE CSD RENAME CSD STARTBRGROUP CSD STARTBRLIST CSD STARTBRRSRCE CSD UNLOCK CSD USERDEFINE |
| DB2CONN | CREATE DB2CONN
DISCARD DB2CONN INQUIRE DB2CONN SET DB2CONN |
| DB2ENTRY | CREATE DB2ENTRY
DISCARD DB2ENTRY INQUIRE DB2ENTRY SET DB2ENTRY |
| DB2TRAN | CREATE DB2TRAN
DISCARD DB2TRAN INQUIRE DB2TRAN SET DB2TRAN |
| DELETSHIPPED | INQUIRE DELETSHIPPED
PERFORM DELETSHIPPED SET DELETSHIPPED |
| DISPATCHER | INQUIRE DISPATCHER
SET DISPATCHER |
| DOCTEMPLATE | CREATE DOCTEMPLATE
DISCARD DOCTEMPLATE INQUIRE DOCTEMPLATE SET DOCTEMPLATE |
| DSNAME | INQUIRE DSNAME
SET DSNAME |
| DUMP | CEMT PERFORM SNAP
PERFORM DUMP |
| DUMPDS | INQUIRE DUMPDS
SET DUMPDS |
| ENQMODEL | CREATE ENQMODEL
INQUIRE ENQMODEL SET ENQMODEL |
| EPADAPTER | INQUIRE EPADAPTER 4
SET EPADAPTER 4 |
| EPADAPTERSET | INQUIRE EPADAPTERSET 4
SET EPADAPTERSET 4 |
| EPADAPTINSET | INQUIRE EPADAPTINSET 4
|
| EVENTBINDING | INQUIRE EVENTBINDING 4
SET EVENTBINDING 4 |
| EVENTPROCESS | INQUIRE EVENTPROCESS
SET EVENTPROCESS |
| EXCI | INQUIRE EXCI |
| EXITPROGRAM | DISABLE PROGRAM
ENABLE PROGRAM EXTRACT EXIT RESYNC ENTRYNAME INQUIRE EXITPROGRAM |
| FEPIRESOURCE | Certain FEPI commands |
| FILE | CREATE FILE
DISCARD FILE INQUIRE FILE SET FILE |
| HOST | INQUIRE HOST
SET HOST |
| IPCONN | CREATE IPCONN
DISCARD IPCONN INQUIRE IPCONN SET IPCONN |
| IRC | INQUIRE IRC
SET IRC |
| JOURNALMODEL | CEMT INQUIRE JMODEL
CREATE JOURNALMODEL DISCARD JOURNALMODEL INQUIRE JOURNALMODEL |
| JOURNALNAME | INQUIRE JOURNALNAME
SET JOURNALNAME |
| JVMSERVER | CREATE JVMSERVER
DISCARD JVMSERVER INQUIRE JVMSERVER SET JVMSERVER |
| LIBRARY | CREATE LIBRARY 4
DISCARD LIBRARY 4 INQUIRE LIBRARY 4 SET LIBRARY 4 |
| LINE | CEMT INQUIRE LINE
CEMT SET LINE |
| LSRPOOL | CREATE LSRPOOL |
| MAPSET | CREATE MAPSET |
| MODENAME | INQUIRE MODENAME
SET MODENAME |
| MONITOR | INQUIRE MONITOR
SET MONITOR |
| MQCONN | CREATE MQCONN
DISCARD MQCONN INQUIRE MQCONN SET MQCONN |
| MQINI | INQUIRE MQINI |
| MVSTCB | COLLECT STATISTICS
INQUIRE MVSTCB |
| OSGIBUNDLE | INQUIRE OSGIBUNDLE 4 |
| OSGISERVICE | INQUIRE OSGISERVICE 4 |
| PARTITIONSET | CREATE PARTITIONSET |
| PARTNER | CREATE PARTNER
DISCARD PARTNER INQUIRE PARTNER |
| PIPELINE | CREATE PIPELINE
DISCARD PIPELINE INQUIRE PIPELINE PERFORM PIPELINE SET PIPELINE |
| PROCESSTYPE | CEMT INQUIRE PROCESSTYPE
CEMT SET PROCESSTYPE CREATE PROCESSTYPE DISCARD PROCESSTYPE |
| PROFILE | CREATE PROFILE
DISCARD PROFILE INQUIRE PROFILE |
| PROGRAM | CREATE PROGRAM 4
DISCARD PROGRAM 4 INQUIRE PROGRAM 4 SET PROGRAM 4 |
| REQID | INQUIRE REQID |
| RESETTIME | PERFORM RESETTIME 3 |
| RRMS | INQUIRE RRMS |
| SECURITY | PERFORM SECURITY REBUILD
PERFORM SSL REBUILD |
| SESSIONS | CREATE SESSIONS |
| SHUTDOWN | PERFORM SHUTDOWN 2 |
| STATISTICS | COLLECT STATISTICS
EXTRACT STATISTICS PERFORM STATISTICS RECORD INQUIRE STATISTICS SET STATISTICS |
| STORAGE | INQUIRE STORAGE |
| STREAMNAME | INQUIRE STREAMNAME |
| SUBPOOL | INQUIRE SUBPOOL |
| SYSDUMPCODE | INQUIRE SYSDUMPCODE 3
SET SYSDUMPCODE 3 |
| SYSTEM | INQUIRE SYSTEM
SET SYSTEM |
| TASK | INQUIRE TASK
SET TASK |
| TCLASS | CREATE TRANCLASS
DISCARD TRANCLASS INQUIRE TRANCLASS SET TRANCLASS INQUIRE TCLASS SET TCLASS |
| TCPIP | INQUIRE TCPIP
SET TCPIP |
| TCPIPSERVICE | CREATE TCPIPSERVICE
DISCARD TCPIPSERVICE INQUIRE TCPIPSERVICE SET TCPIPSERVICE |
| TDQUEUE | CREATE TDQUEUE
DISCARD TDQUEUE INQUIRE TDQUEUE SET TDQUEUE |
| TEMPSTORAGE | INQUIRE TEMPSTORAGE
SET TEMPSTORAGE |
| TERMINAL | INQUIRE NETNAME
SET NETNAME CREATE TERMINAL DISCARD TERMINAL INQUIRE TERMINAL SET TERMINAL |
| TRACEDEST | INQUIRE TRACEDEST
SET TRACEDEST |
| TRACEFLAG | INQUIRE TRACEFLAG
SET TRACEFLAG |
| TRACETYPE | INQUIRE TRACETYPE
SET TRACETYPE |
| TRANDUMPCODE | INQUIRE TRANDUMPCODE 3
SET TRANDUMPCODE 3 |
| TRANSACTION | CREATE TRANSACTION 4
DISCARD TRANSACTION 4 INQUIRE TRANSACTION 4 SET TRANSACTION 4 |
| TSMODEL | CREATE TSMODEL
DISCARD TSMODEL INQUIRE TSMODEL |
| TSPOOL | INQUIRE TSPOOL |
| TSQUEUE | INQUIRE TSQUEUE |
| TSQNAME | INQUIRE TSQNAME
SET TSQNAME |
| TYPETERM | CREATE TYPETERM |
| UOW | INQUIRE UOW
SET UOW |
| UOWDSNFAIL | INQUIRE UOWDSNFAIL |
| UOWENQ | INQUIRE UOWENQ |
| UOWLINK | SET UOWLINK
INQUIRE UOWLINK |
| URIMAP | CREATE URIMAP 4
DISCARD URIMAP 4 INQUIRE URIMAP 4 SET URIMAP 4 |
| VTAM | INQUIRE VTAM
SET VTAM |
| WEB | INQUIRE WEB
SET WEB |
| WEBSERVICE | CREATE WEBSERVICE
DISCARD WEBSERVICE INQUIRE WEBSERVICE SET WEBSERVICE |
| XMLTRANSFORM | INQUIRE XMLTRANSFORM
SET XMLTRANSFORM |
Note:
- If you are using prefixing, the CICS region user ID must be prefixed to the command resource name.
- Be particularly cautious when authorizing access to these and any other CICS commands that include a SHUTDOWN option.
- See CEMT considerations.
- Bundle command security applies when you use SPI commands to perform an action on a BUNDLE resource, and in that process you install, enable, disable, or discard a dynamically generated resource of this type that was defined in the CICS bundle. No CICS command security applies when you install, enable, disable, or discard a dynamically generated resource of this type through an application or platform. For more information, see Security for bundles.
Resource profile examples
If you are running CICS with command security, define resource profiles to RACF, with access lists as appropriate, using the resource names in Table 1 as the profile names. Alternatively, you can create resource group profiles in the VCICSCMD class.
In the following example, the RDEFINE command
defines a profile named CMDSAMP. The commands that are protected by
this profile are specified on the ADDMEM operand. The PERMIT command
allows a group of users to issue the commands for INQUIRE:
RDEFINE VCICSCMD CMDSAMP UACC(NONE)
NOTIFY(sys_admin_userid)
ADDMEM(AUTINSTMODEL, AUTOINSTALL, CONNECTION,
DSNAME, TRANSACTION, TRANDUMPCODE, VTAM)
PERMIT CMDSAMP CLASS(VCICSCMD) ID(operator_group) ACCESS(READ)The second example defines a profile called CMDSAMP1 with
the same commands in the ADDMEM operand, as in the previous example.
The PERMIT command allows a group of users to issue
PERFORM, SET, and DISCARD against these commands:
RDEFINE VCICSCMD CMDSAMP1 UACC(NONE)
NOTIFY(sys_admin_userid)
ADDMEM(AUTINSTMODEL, AUTOINSTALL, CONNECTION,
DSNAME, TRANSACTION, TRANDUMPCODE, VTAM)
PERMIT CMDSAMP1 CLASS(VCICSCMD) ID(op_group_2) ACCESS(UPDATE)If you are running CICS with SEC=YES, users require the access levels shown in Resource and command check cross-reference.