Site-specific security

The BBI-SS PAS uses the EXCI function to reconnect to CICS after the BBI-SS PAS is recycled.

The CREGAGT windows-mode views provide commands to control MainView for CICS initialization and termination, and its agent functions--extractor, task kill, SMF recording of the CICS CMF 110 records, and MainView AutoOPERATOR for CICS. These commands also use the CICS External Interface (EXCI) facility to communicate to the target CICS systems. When the PAS is recycled, it uses the EXCI facility to reconnect to CICS regions. Therefore all BBI-SS systems must have the proper security authorization to issue commands.

When CICS security is active with certain SIT parameters, the BBI-SS PAS user ID must have proper security authorization in order to start MainView for CICS transactions, as well as to create and discard transactions and program definitions.

When XCMD=YES and CMDSEC=ALWAYS in the SIT, the BBI-SS PAS address space user ID must have access defined for the following resources in resource class CCICSCMD (or site-specified resource class for XCMD):

<secprfx>.EXITPROGRAM  ACCESS(UPDATE)
               .PROGRAM      ACCESS(ALTER)
               .SYSTEM       ACCESS(READ)
               .TRANSACTION  ACCESS(ALTER)
               .MONITOR      ACCESS(UPDATE)
               .TASK         ACCESS(READ)
               .IRC          ACCESS(UPDATE)
               .TSQUEUE      ACCESS(READ)
               .CONNECT      ACCESS(READ)
               .STATISTIC    ACCESS(READ)
               .FILE         ACCESS(UPDATE)

The secprfx value is the security prefix that is specified by the SECPRFX parameter in the SIT, if any.

When XPPT=YES or XPCT=YES, and RESSEC=ALWAYS, the BBI-SS PAS user ID must have ACCESS(ALTER) privileges for resources in the resource classes MCICSPPT (XPPT) and ACICSPCT (XPCT or site-specified resource class for XPPT and XPCT) in order to create program and transaction definitions, respectively. For more information, see Managed-resources for the list of programs and transactions.

When XTRAN=YES (regardless of CMDSEC and RESSEC settings), the BBI-SS PAS user ID must have ACCESS(READ) privileges for transactions (resource) BMCE, FST2, BCRT, FCD2, JNL2 and FIC2 in resource class TCICSTRN (or site-specified resource class for XTRAN).

In the target CICS if CICS surrogate user checking is turned on through the SIT parameter XUSER=YES (regardless of CMDSEC and RESSEC settings), the BBI-SS PAS user ID must be authorized as a surrogate user in the CICS region. This setting can be accomplished by using the following RACF command:

PERMIT userid1.DFHSTART CLASS(SURROGAT) ID(userid2) ACCESS(READ)

userid1 is the ID of the BBI-SS PAS and userid2 is the user ID of the CICS region.

If a security manager other than RACF is being used, refer to appropriate security guide for more information.

For more information, see the IBM publication CICS RACF Security Guide for a discussion about CICS security checking. Also, see the IBM publication CICS System Definition Guide for a discussion about CICS security system initialization parameters (CMDSEC, RESSEC, XTRAN, XUSER, and so on).

Note

If CMDSEC and RESSEC are set to ASIS, the only SIT security parameters that affect the BBI-SS PAS are XTRAN and XUSER.

Related topic

Standard-implementation-procedures


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*