Site-specific security
The BBI-SS PAS uses the IBM CICS External Interface (EXCI) to control the following processes:
- Reconnecting to IBM CICS after recycling the BBI-SS PAS.
- Issuing commands from the CREGAGT view to control BMC AMI Ops Monitor for CICS initialization and termination, and control its agent functions (such as the extractor, task kill, SMF recording of the CICS CMF 110 records, BMC AMI Ops Automation for CICS, and so on).
Therefore, you must define security authorization for the BBI-SS PAS address space user ID to issue commands in IBM CICS when CICS security is active.
System Initialization Table (SIT) security parameters
When CICS security is active with certain System Initialization Table (SIT) parameters, the BBI-SS PAS address space user ID must have security authorization to perform the following processes after a recycle of the BBI-SS PAS:
- Start BMC AMI OpsM for CICS transactions
- Create and discard BMC AMI OpsM for CICS transactions and program definitions
- Gather data for resource views
- Process action commands on behalf of the user ID that entered the command, after the user's authorization is checked when BMC security is active in the BBI-SS PAS.
We recommend that you use BMC security to specify which users can invoke action commands; see BMC AMI Ops Monitor for CICS resources and BMC AMI Ops Monitor for CICS and the BMC AMI Ops Automation for CICS for more information.
The following table describes how some of the SIT parameters affect the security authorization needed by the BBI-SS address space user ID:
SIT parameter setting | Description |
|---|---|
XCMD=YES | The BBI-SS PAS address space user ID must have access defined for the following resources in resource class CICSCMD (or site-specified resource class for XCMD): The secprfx value is the security prefix that is specified by the SECPRFX parameter in the SIT. <secprfx>.CONNECTION ACCESS(READ) .STATISTIC ACCESS(READ) .SYSTEM ACCESS(READ) .TASK ACCESS(READ) .TSQUEUE ACCESS(READ) .EXITPROGRAM ACCESS(UPDATE) .FILE ACCESS(UPDATE) .IRC ACCESS(UPDATE) .MONITOR ACCESS(UPDATE) .PROGRAM ACCESS(ALTER) .TRANSACTION ACCESS(ALTER) |
CMDSEC=ALWAYS | With CMDSEC=ALWAYS, you must define the following:
<secprfx>.TCLASS ACCESS(UPDATE) To enable gathering data for resource views, specify the following: <secprfx>.* ACCESS(READ) |
XPPT=YES or XPCT=YES, or RESSEC=ALWAYS | The BBI-SS PAS address space user ID must have ACCESS(ALTER) defined for resources in the resource classes MCICSPPT (XPPT) and ACICSPCT (XPCT) or site-specified resource class for XPPT and XPCT in order to create program and transaction definitions, respectively. For more information, see Managed-resources for the list of programs and transactions. |
XTRAN=YES (regardless of CMDSEC and RESSEC settings) | The BBI-SS PAS user ID must have ACCESS(READ) defined for transactions (resource) BMCE, FST2, BCRT, FCD2, JNL2 and FIC2 in resource class TCICSTRN (or site-specified resource class for XTRAN). |
RESSEC=ALWAYS | The BBI-SS PAS user ID must have ACCESS(READ) defined in these resource classes for the following in order to gather data for certain views: For resource class RCICSRES: <secprfx>.BUNDLE.* <secprfx>.EVENTBINDING.* <secprfx>.DOCTEMPLATE.* <secprfx>.POLICY.* <secprfx>.JVMSERVER.* For resource class JCICSJCT: <secprfx>.DFHLOG |
XUSER=YES | The BBI-SS PAS user ID might need to be authorized as a surrogate user in the CICS region for the CICS default user ID. |
For more information about CICS security, see the IBM documentation CICS RACF Security Guide to read about CICS security checking. Also, see the IBM documentation CICS System Definition Guide to read about CICS security system initialization parameters (CMDSEC, RESSEC, XTRAN, XUSER, and so on).
Related topic