The CICS® system
programmer and the DB2® administrator
must decide how to control access to the CICS IA plan and the CIU tables.
About this task
CICS IA uses both
static and dynamic SQL, you need more than just a GRANT EXECUTE ON
PLAN CICSIA TO PUBLIC command. You must also allow dynamic SQL requests
to access the tables. You have two options:
- Option 1
- Specify the DYNAMICRULES(BIND) option on the BIND PLAN
command in CIUDBNB and CIUDBNT. This option is
recommended for these reasons:
- The way in which security works is the same for both dynamic and
static SQL.
- If you grant permissions by issuing one or more GRANT
EXECUTE ON PLAN CICSIA TO _xxxx_ commands, all security checks
are done at the plan level; this option is simple to administer and
offers good performance.
- If, as is typically the case, the _xxxx_ in the
GRANT EXECUTE command specifies a RACF group rather than a single
RACF user ID, to add new users you just connect the users to the RACF
group.
The sample installation jobs CIUDBNB and
CIUDBNT use the DYNAMICRULES(BIND) option and then issue GRANT EXECUTE
commands for the appropriate plans. These commands are issued against
a RACF group.
To use this option:
- Select your RACF group.
- Change _racfgrp_ to your chosen RACF
group.
- Ensure that all CIU users are connected to your chosen RACF group,
with RACF “list of groups” active in the system.
- Enable secondary authorization in DB2.
See the DB2 install job DSNTIJEX.
Note: - Review DSNTIJEX job with your DB2 administrator.
- For a full understanding of the implications of DYNAMICRULES(BIND),
see the description of the BIND COMMAND in the DB2 Commands manual.
- See also the section on DB2 security
in the CICS RACF Security
Guide.
- Review this job with your DB2 administrator.
- Option 2
- Grant all CIU users access to the tables explicitly. This option
is not recommended because you have to do this every time you give
access to a new user.
To use this option:
- In the sample jobs CIUDBNB and CIUDBNT,
on the BIND PLAN command change the DYNAMICRULES option from DYNAMICRULES(BIND)
to DYNAMICRULES(RUN).
- In hlq.SCIUSQL.OUT(CIUGRNTC), change
the sample GRANT commands to GRANT EXECUTE on the CICSIA plan and
GRANT SELECT, GRANT UPDATE, GRANT INSERT, GRANT DELETE, and any other
GRANT commands, on the CIU tables.
- If the GRANT permissions are made to a RACF group, note these
requirements:
- Ensure that all CIU users are connected to that RACF group.
- Enable secondary authorization in DB2.
See the DB2 install job DSNTIJEX
for more information if required.
The
Query interface uses
dynamic SQL to access the CIU_CICS_DATA, CIU_DB2_DATA, CIU_MQ_DATA,
and CIU_IMS_DATA tables. For guidance on using dynamic SQL with CICS, refer to the
CICS DB2 Guide for
your CICS release.
The
delivered SQL is constructed and sized for a default application.
You must tailor the sizings for PRIQTY and SECQTY in the index creation
batch job to suit your requirements. If you create a new query you
must carry out an evaluation to ensure that the existing indexing
supports the query. If the existing indexing does not support the
query, you must construct additional indexes. Contact your Database
administrator if you require assistance.