Here is the format of the security key that the CICS® Configuration Manager server creates to check a user's authority to perform an API command:
(1) >>-prefix--.--+-LIS.-+-object_type-----+-.location_type.-+-location_name-+-------------------+->< | '-ALL-------------' +-ALL-----------+ | | '-NONE----------' | +-+-ADD-----------------------------+-.object_type.location_type.location_name-+ | +-Start of changeALTEnd of change-+ | | | (2) | | | +-CPY-----------------------------+ | | +-DIO-----------------------------+ | | +-INO-----------------------------+ | | +-NEO-----------------------------+ | | | (3) | | | +-REC-----------------------------+ | | +-REM-----------------------------+ | | '-REN-----------------------------' | +-+-CRE-+-.object_type.location_type.-+-location_name-+------------------------+ | +-DEL-+ '-NONE----------' | | +-INQ-+ | | '-UPD-' | +-+-APP-+-.migration_scheme.approval_profile.approver_role---------------------+ | '-DIS-' | +-+-REA-+-.migration_scheme----------------------------------------------------+ | +-UNR-+ | | +-MIG-+ | | +-BAC-+ | | +-INS-+ | | '-NEW-' | +-IMP.target_CICS_configuration------------------------------------------------+ '-DEP.-+-COLLECT.CCONFIG.CICS_configuration-+----------------------------------' '-REPORT.NONE.NONE-------------------'
For descriptions of the fields in this key, see API parameters.
To limit the security key length, API command names are abbreviated to three letters:
The server calls the external security manager (such as RACF®) to check whether this key matches a general resource profile for which the user has READ access authority. If it does, the server performs the command.
As a starting point, consider temporarily defining
a general resource profile such as this:
CCVAPI.**
(where CCVAPI is the prefix that you have chosen for the security keys)
with a universal access authority (UACC) of READ. This
enables you to activate security checking in CICS Configuration Manager and then continue
to work as before, while you define more specific general resource
profiles.
For examples of general resource profiles, and the
JCL to define those profiles in a RACF environment, see member CCVXSAF2
of the sample library SCCVSAMP.
Restricting access to the ISPF dialog:
To start the CICS Configuration Manager ISPF dialog, users must be able to perform a List command for the SvrInfo repository object; for details, see SvrInfo (server information). You can use this requirement to restrict access to the ISPF dialog.