Controlling FM/CICS processing
File Manager has the ability to read, modify and change the status of CICS® resources. If the resources are not protected in the CICS® environment then there might be a requirement to control what functions File Manager for CICS® users can perform.
If Security Server, RACF® 1.9 (or later) or an equivalent security product is active, the System Authorization Facility (SAF) with the File Manager enhanced security facility is used for access control and authorization verification. Authorization is controlled by File Manager-specific profiles in the FACILITY and XFACILIT class as follows.
Activating FM/CICS resource checking
The following facility class profile is used to determine whether File Manager checks access for any given CICS® resource.
FILEM.CICS.RESOURCE
Here is an example of activating FM/CICS resource checking.
RDEF FACILITY FILEM.CICS.RESOURCE AUDIT(NONE) +
UACC(READ) OWNER(TYRONED)
SETROPTS RACLIST(FACILITY) REFRESH
If this profile has been defined and the user has an access of read or more then FM/CICS perform resource security checking using the XFACILIT class profiles described below.
Defining access to CICS® resources
Define XFACILIT class profiles in the form:
FILEM.sysplex_name.cics_applid.resource_type.resource_name
Where
- sysplex_name
- The z/OS® sysplex name.
- cics_applid
- The CICS® VTAM® application id for the CICS® region
- resource_type
- One of these values:
- FILE
- CICS® files
- TD
- CICS® transient data queues
- TS
- CICS® temporary storage queues
- ENQ
- CICS® enqueue resource name
- resource_name
- The CICS® file name, transient data queue name or temporary storage queue name. This level doesn't apply to the resource type ENQ.
File Manager checks the level of access as follows to determine what functions can be performed.
- READ
- This allows read only functions like browse, print and view to run. The user is not allowed to modify a CICS® resource.
- UPDATE
- This allows update functions like edit, data create, copy to, and the ability to delete TS queues and empty TD queues from the resource list displays.
- CONTROL
- This allows CICS® SET function processing to change the status of a resource and the ability to purge tasks with outstanding enqueues for the XFACILIT class with resource_type ENQ. If the user does not have CONTROL access then the status fields that were modifiable on the resource list panels are protected for resources they are not allowed to modify.
Examples for RACF® definitions
Case 1. Ensure all files on CICSDEV can only be accessed read
RDEF XFACILIT FILEM.SYSPLEXA.CICSDEV.FILE.** AUDIT(NONE) +
UACC(READ) OWNER(userid)
Case 2. Ensure all CICS® resources on CICSDEV can only be accessed read
RDEF XFACILIT FILEM.SYSPLEXA.CICSDEV.** AUDIT(NONE) +
UACC(READ) OWNER(userid)
Case 3. Allow update against all CICS® resources on CICSDEV and allow SET processing to the systems programmer userid
RDEF XFACILIT FILEM.SYSPLEXA.CICSDEV.** AUDIT(NONE) +
UACC(UPDATE) OWNER(userid)
PE FILEM.SYSPLEXA.CICSDEV.** +
CLASS(XFACILIT) ID(sysprog) ACC(CONTROL)
Case 4. Allow a specific user full access to FILE names beginning with FM
RDEF XFACILIT FILEM.SYSPLEXA.CICSDEV.FILE.FM* AUDIT(NONE) +
UACC(NONE) OWNER(TYRONED)
PE FILEM.SYSPLEXA.CICSDEV.FILE.FM* +
CLASS(XFACILIT) ID(fmuser1) ACC(CONTROL)