OLTCNTL parameter ACTNSEC
We recommend you use BMC security to secure all action commands entered in BMC AMI OpsM for CICS. BMC security processing checks the access status for the user ID that enters a command when BMC security is active before the command can be executed. When you want to use CICS security (instead of BMC security) to protect which user IDs can issue commands when the command reaches the CICS region, use the ACTNSEC parameter.
Valid values for the ACTNSEC parameter are NO and YES (ACTNSEC=NO | YES). These options operate in conjunction with the System Initialization Table (SIT) security parameters of the CICS TS region and the security accessibility of the user ID associated with the action command at the time it was invoked. Example of the INITPARM setting:
Action commands
There are two types of action commands: Restricted and Unrestricted.
The Restricted Action Commands must be executed within the JNL2 transaction to avoid any possible delay that might occur while attaching to a new task. The Restricted Action Commands do not attach the FCD2 task to process the command. A slight delay could occur if the CICS TS resources needed to attach a new task are not available and, the task might not be dispatched immediately. These commands are listed in the following table:
View names | Restricted Action Command |
|---|---|
CREGSYT | SET on Max Tasks field |
CTRNCLA | SET on Max Act field for DFHTCL00 |
CREGSYA | SET on DSA Limit field |
CREGSYA | SET on EDSA Limit field |
CTASK | CAN, PUR, and TKI |
TSQUEUE | PUR |
For all other commands, the JNL2 processing attaches the FCD2 transaction executing for the user ID associated with the action command at the time the command was invoked. When no user ID is associated with the action request, the FCD2 task executes for the user ID associated with the JNL2 transaction.
ACTNSEC
The OLTCNTL option ACTNSEC enables one of the following approaches to check the user ID authorization for each CICS TS SPI command executed by BMC AMI OpsM for CICS in the CICS TS region. The CICS TS SIT options determine which security authorization checks are invoked at the time the CICS TS SPI command is executed.
The ACTNSEC options are:
ACTNSEC value | Description |
|---|---|
NO (default) | Security authorization processing continues to operate as it has in the past. For restricted commands: When the CICS TS SPI command is executed, security authorization checks are performed against the user ID associated with the JNL2 task. The FCD2 task is never attached for these commands. For unrestricted commands: Starts the FCD2 task to process the command. When the task is started, security processing continues to use the existing logic that tests the command request for a user ID. Starts the FCD2 task for the user ID when the user ID parameter is defined to the BMC AMI Ops Automation for CICS command CICSTRAN. Otherwise, the FCD2 tasks run with the same user ID as the JNL2 task. |
YES | For restricted commands: Any security authorization checks are processed by the OLT Function Package before the command is processed by JNL2. The authorization checks are made against the user ID that invoked the command. The FCD2 task is never started for these commands. For unrestricted commands: Starts the FCD2 task for the user ID when the user ID parameter is defined to the BMC AMI Ops Automation for CICS command CICSTRAN. Otherwise, starts the FCD2 task to process the command for the user ID that invoked the command. FCD2 resource definition CMDSEC and RESSEC attribute are set to YES. Even with ACTNSEC=YES, the BBI-SS PAS address space user ID must still have security access to what is specified in Site Specific Security. The user ID that you want to permit issuing action commands need the same security access depending on what you want the user ID to do. In addition, with XUSER=YES is in the SIT, the CICS default ID and the BBI-SS PAS address space user ID must have ACCESS(READ) to the userid.DFHSTART resource in the SURROGAT class, where userid is the user ID that is defined to have access to the commands. |