Controlling FM/CICS processing

File Manager has the ability to read, modify and change the status of CICS® resources. If the resources are not protected in the CICS® environment then there might be a requirement to control what functions File Manager for CICS® users can perform.

If Security Server, RACF® 1.9 (or later) or an equivalent security product is active, the System Authorization Facility (SAF) with the File Manager enhanced security facility is used for access control and authorization verification. Authorization is controlled by File Manager-specific profiles in the FACILITY and XFACILIT class as follows.

Activating FM/CICS resource checking

The following facility class profile is used to determine whether File Manager checks access for any given CICS® resource.


FILEM.CICS.RESOURCE

Here is an example of activating FM/CICS resource checking.


RDEF FACILITY FILEM.CICS.RESOURCE AUDIT(NONE)      +
        UACC(READ) OWNER(TYRONED)
SETROPTS RACLIST(FACILITY) REFRESH

If this profile has been defined and the user has an access of read or more then FM/CICS perform resource security checking using the XFACILIT class profiles described below.

Defining access to CICS® resources

Define XFACILIT class profiles in the form:


FILEM.sysplex_name.cics_applid.resource_type.resource_name

Where

sysplex_name
The z/OS® sysplex name.
cics_applid
The CICS® VTAM® application id for the CICS® region
resource_type
One of these values:
FILE
CICS® files
TD
CICS® transient data queues
TS
CICS® temporary storage queues
ENQ
CICS® enqueue resource name
resource_name
The CICS® file name, transient data queue name or temporary storage queue name. This level doesn't apply to the resource type ENQ.

File Manager checks the level of access as follows to determine what functions can be performed.

READ
This allows read only functions like browse, print and view to run. The user is not allowed to modify a CICS® resource.
UPDATE
This allows update functions like edit, data create, copy to, and the ability to delete TS queues and empty TD queues from the resource list displays.
CONTROL
This allows CICS® SET function processing to change the status of a resource and the ability to purge tasks with outstanding enqueues for the XFACILIT class with resource_type ENQ. If the user does not have CONTROL access then the status fields that were modifiable on the resource list panels are protected for resources they are not allowed to modify.
Note: If the XFACILIT class for CICS® files has been defined and the user is performing a File Manager function that can read or update the data set, then an additional check is performed to validate whether the user has the required level of access to the data set name associated with the CICS® file.

Examples for RACF® definitions

Case 1. Ensure all files on CICSDEV can only be accessed read


RDEF XFACILIT FILEM.SYSPLEXA.CICSDEV.FILE.**  AUDIT(NONE) +
               UACC(READ) OWNER(userid)

Case 2. Ensure all CICS® resources on CICSDEV can only be accessed read


RDEF XFACILIT FILEM.SYSPLEXA.CICSDEV.**  AUDIT(NONE)   +
               UACC(READ) OWNER(userid)

Case 3. Allow update against all CICS® resources on CICSDEV and allow SET processing to the systems programmer userid


RDEF XFACILIT FILEM.SYSPLEXA.CICSDEV.**  AUDIT(NONE)  +
               UACC(UPDATE) OWNER(userid)

PE FILEM.SYSPLEXA.CICSDEV.**  +
         CLASS(XFACILIT) ID(sysprog) ACC(CONTROL)

Case 4. Allow a specific user full access to FILE names beginning with FM


RDEF XFACILIT FILEM.SYSPLEXA.CICSDEV.FILE.FM* AUDIT(NONE) +
               UACC(NONE) OWNER(TYRONED)
PE FILEM.SYSPLEXA.CICSDEV.FILE.FM* +
         CLASS(XFACILIT) ID(fmuser1) ACC(CONTROL)