Authorizing access to MVS log streams

Ensure that you authorize the CICS® region userid to write to (and create if necessary) the log streams that are used for its system log and general logs. You do this by granting the appropriate access authorization to log stream profiles in the LOGSTRM general resource class.

The level of authorization required depends on whether log streams are always explicitly defined to the MVS™ system logger:
For example, the generic profile in the following example could be defined to cover all the log streams referenced by the CICS region and identified by its region userid and applid:
RDEFINE LOGSTRM region_userid.** UACC(NONE)
If, however, you have multiple CICS systems sharing the same region userid, but with differing security requirements, include the applid in the generic profile, as follows:
RDEFINE LOGSTRM region_userid.applid.* UACC(NONE)
The following example allows the CICS region userid under which CICS is running to write journal and log records to log streams in the named coupling facility structure:
PERMIT IXLSTR.structurename CLASS(FACILITY) ACCESS(UPDATE)
       ID(region_userid)
The following examples give access to three categories of user:
PERMIT region_userid.applid.* CLASS(LOGSTRM) ACCESS(ALTER)
       ID(region_userid)
PERMIT region_userid.applid.* CLASS(LOGSTRM) ACCESS(READ)
       ID(authorized_browsers)
PERMIT region_userid.applid.* CLASS(LOGSTRM) ACCESS(UPDATE)
       ID(archive_userid)

In these examples, region_userid is the CICS region userid under which CICS is running, either as a started task or batch job. The identifier archive_userid is the userid under which an application program runs to purge old data from CICS logs when the data is no longer needed. The identifier authorized_browsers refers to the userids of users allowed to read log streams, but not purge data.

If several CICS regions share the same CICS region userid, you can make profiles more generic by specifying * for the applid qualifier.

The number of profiles you define depends on the naming conventions of the logs, and to what extent you can use generic profiling.