Site-specific security

The BBI-SS PAS uses the EXCI function to reconnect to CICS after the BBI-SS PAS is recycled.

The CREGAGT windows-mode views provide commands to control MainView for CICS initialization and termination, and its agent functions--extractor, task kill, SMF recording of the CICS CMF 110 records, and MainView AutoOPERATOR for CICS. These commands also use the CICS External Interface (EXCI) facility to communicate to the target CICS systems. When the PAS is recycled, it uses the EXCI facility to reconnect to CICS regions. Therefore all BBI-SS systems must have the proper security authorization to issue commands.

When CICS security is active with certain SIT parameters, the BBI-SS PAS user ID must have proper security authorization in order to start MainView for CICS transactions, as well as to create and discard transactions and program definitions.

When XCMD=YES and CMDSEC=ALWAYS in the SIT, the BBI-SS PAS address space user ID must have access defined for the following resources in resource class CCICSCMD (or site-specified resource class for XCMD):

secprfx.EXITPROGRAM  ACCESS(UPDATE)
               .PROGRAM      ACCESS(ALTER)
               .SYSTEM       ACCESS(READ)
               .TRANSACTION  ACCESS(ALTER)
               .MONITOR      ACCESS(UPDATE)
               .TASK         ACCESS(READ)
               .IRC          ACCESS(UPDATE)
               .TSQUEUE      ACCESS(READ)
               .CONNECT      ACCESS(READ) 
               .STATISTIC    ACCESS(READ)
               .FILE         ACCESS(UPDATE)

secprfx is the security prefix that is specified by the SECPRFX parameter in the SIT, if any.

When XPPT=YES or XPCT=YES, and RESSEC=ALWAYS, the BBI-SS PAS user ID must have ACCESS(ALTER) privileges for resources in the resource classes MCICSPPT (XPPT) and ACICSPCT (XPCT or site-specified resource class for XPPT and XPCT) in order to create program and transaction definitions, respectively. See Managed resources for the list of programs and transactions.

When XTRAN=YES (regardless of CMDSEC and RESSEC settings), the BBI-SS PAS user ID must have ACCESS(READ) privileges for transactions (resource) BMCE, FST2, BCRT, FCD2, JNL2 and FIC2 in resource class TCICSTRN (or site-specified resource class for XTRAN).

In the target CICS if CICS surrogate user checking is turned on through the SIT parameter XUSER=YES (regardless of CMDSEC and RESSEC settings), the BBI-SS PAS user ID must be authorized as a surrogate user in the CICS region. This setting can be accomplished by using the following RACF command:

PERMIT userid1.DFHSTART CLASS(SURROGAT) ID(userid2) ACCESS(READ)

userid1 is the ID of the BBI-SS PAS and userid2 is the user ID of the CICS region.

If a security manager other than RACF is being used, refer to appropriate security guide for more information.

Refer to the CICS RACF Security Guide for details about CICS security checking. Refer to the CICS System Definition Guide for details about CICS security system initialization parameters (CMDSEC, RESSEC, XTRAN, XUSER, and so on).

Note

If CMDSEC and RESSEC are set to ASIS, the only SIT security parameters that affect the BBI-SS PAS are XTRAN and XUSER.

Was this page helpful? Yes No Submitting... Thank you

Comments