Granting access to the plans and tables

The CICS® system programmer and the Db2® administrator must decide how to control access to the CICS® IA plan and the CIU tables. There are two options.

About this task

Read this information with the CICS® Db2® Guide.

Option 1
CICS® IA uses the DYNAMICRULES(BIND) option on the BIND PLAN command in CIUDBNB. This option is recommended for the following reasons:
  • How security works is the same for both dynamic and static SQL.
  • If you grant permissions by issuing one or more GRANT EXECUTE ON PLAN CICSIA TO _xxxx_ commands, all of the security checks are done at the plan level. This option is simple to administer and offers good performance.
  • If, typically, the _xxxx_ in the GRANT EXECUTE command specifies a RACF® group rather than a single RACF® user ID, to add new users you connect the users to the RACF® group.
The sample installation jobs CIUDBNB are configured to issue GRANT EXECUTE commands for the appropriate plans. These commands are issued against a RACF® group.
  1. Select your RACF® group. The RACF® group can be selected at configuration time.
  2. Change _racfgrp_ to your chosen RACF® group.
  3. Ensure that all CIU users are connected to your chosen RACF® group, with RACF® list of groups active in the system.
  4. Enable secondary authorization in IBM® Db2®. See the Db2® installation job DSNTIJEX.
    Note:
    1. Review DSNTIJEX job with your Db2® administrator.
    2. For a full understanding of the implications of DYNAMICRULES(BIND), see the description of the BIND COMMAND in the Db2® Commands manual.
    3. See also the section on Db2® security in the CICS® RACF® Security Guide.
    4. Review this job with your Db2® administrator.
Option 2
Grant all CIU users access to the tables explicitly. This option is not recommended because you must do this every time you give access to a new user.
To use this option:
  1. In the sample jobs CIUDBNB and CIUDBNT, on the BIND PLAN command change the DYNAMICRULES option from DYNAMICRULES(BIND) to DYNAMICRULES(RUN).
  2. In hlq.SCIUSQL.OUT(CIUGRNTC), change the sample GRANT commands to GRANT EXECUTE on the CICSIA plan and GRANT SELECT, GRANT UPDATE, GRANT INSERT, GRANT DELETE, and any other GRANT commands, on the CIU tables.
  3. If the GRANT permissions are made to a RACF® group, note these requirements:
    1. Ensure that all CIU users are connected to that RACF® group.
    2. Enable secondary authorization in IBM® Db2®. See the Db2® install job DSNTIJEX for more information if required.

The Query interface uses dynamic SQL to access the CIU_CICS_DATA, CIU_DB2_DATA, CIU_MQ_DATA, and CIU_IMS_DATA tables. For guidance on using dynamic SQL with CICS®, refer to the CICS® Db2® Guide for your CICS® release.

The delivered SQL is constructed and sized for a default application. You must tailor the sizings for PRIQTY and SECQTY in the index creation batch job to suit your requirements. If you create a new query, you must evaluate the query to ensure that the existing indexing supports the query. If the existing indexing does not support the query, you must construct more indexes. Contact your database administrator if you require assistance.