Defining the FMN3PARM member

If auditing is to be controlled from parmlib (user has read access to FILEM.PARMLIB.CICS, see SAF-controlled auditing for File Manager CICS component), then member FMN3PARM must be defined in SYS1.PARMLIB (or any other library in the logical parmlib concatenation) as follows.

Default parmlib member FMN3PARM is provided in the SFMNSAM1 library. Copy this member to the appropriate system parmlib library. See below for details of methods that can be used to make this change.

Note: The sample FMN3PARM member supplied in SFMNSAM1 also includes a FMSECRTY statement. This option is not used at present, and can be either omitted, or commented out. It has no effect.

There are two methods that can be used to include the FMN3PARM member in a library in the logical parmlib concatenation. The choice of method depends on whether the installation's security software is configured to allow FM/CICS users READ access to the data set SYS1.PARMLIB.

Method 1 can only be used when FM/CICS users have read access to SYS1.PARMLIB.

Method 2 can be used regardless of whether FM/CICS users have READ access to SYS1.PARMLIB or not, and must be used when FM/CICS users do not have READ access to SYS1.PARMLIB.

Method 1
Place the FMN3PARM member in any library in the current logical parmlib concatenation. No IPL or other action is required to activate the new member unless a new library was added to the logical parmlib concatenation.
Notes:
  1. Method 1 cannot be used in any situation where FM/CICS users do not have READ access to SYS1.PARMLIB. For example, when FM/CICS users have READ access to another library in the logical parmlib concatenation, and the FMN3PARM member is placed in the latter library. This will not work. The key issue is whether the FM/CICS user has READ access to SYS1.PARMLIB.
  2. Using this method results in message IEE252I being written to the system log whenever a FM/CICS user accesses SYS1.PARMLIB. These messages cannot be suppressed. To avoid these messages use Method 2.
Method 2
This method must be used when FM/CICS users do not have READ access to SYS1.PARMLIB, or when suppression of the IEE252I messages is required.
  1. Create a new library with dataset attributes similar to SYS1.PARMLIB.
    The library name for this data set must include the string "FMNPARM" in one of the qualifiers. You can choose any data set name that meets this requirement. Examples of suitable data set names are:
    • SYS1.PARMLIB.FMNPARM
    • SYS8.FMNPARM.PARMLIB
    • FMNPARM.SYS8.PARMLIB
    • SYS2.FMNPARMS.LIB
    • SYS8.XFMNPARM.PARMLIB
  2. Add member FMN3PARM to the new library, specifying the appropriate FMAUDIT parameter.
  3. Add the new library to the logical parmlib concatenation. This can be done dynamically, or by means of a system IPL.
Note: When Method 2 is used, the FMN3PARM member must be located in the library created in step 1. If the FMN3PARM member specifies any include statements (see Facilities for customizing the FMN3PARM definitions), all of the included members must also reside in the same library.
You use the FMN3PARM member to define:
  • Whether FM/CICS uses SAF to control FM/CICS audit logging.
  • The SAF resource name prefix to be used by FM/CICS when determining access to various resources.
  • Whether FM/CICS loads the FMN3POPT module from a specific library.

For more information, see FM/CICS options specified in FMN3PARM.