To determine who requires access to the CICSPlex® SM resources,
answer the questions and complete the matrix. You can then use the
results to create the PERMIT statements that are required in RACF
to control access to the resources.
You can control access to
CICSPlex SM resources
in two ways:
- By restricting access to the objects managed via CICSPlex SM views.
This does not affect access to the views themselves but it prevents
them from displaying any data.
- By restricting access to Web User Interface view sets, menus and
the View Editor. This does not affect access to the objects being
managed but prevents access to the view sets, menus and View Editor
themselves.
- Answer the following questions to determine who requires
access to the CICSPlex SM resources:
- What groups of users will use CICSPlex SM?
- Your enterprise probably already has several user groups defined
to RACF®. The groups that typically require access
to CICSPlex SM include
systems programming, operations, the help desk, applications programming,
and performance monitoring. These groups are used as column headings
in the security matrix. You can supply their corresponding RACF group
IDs. (If necessary, you can ignore, replace, or add groups to the
matrix as appropriate for your enterprise.)
- Which CICSPlex SM views
will each group need to use?
- CICSPlex SM manages CICS® resources
via views. Views are grouped by functionality: configuration, topology,
workload management, real-time analysis, operations, monitoring, business
application services, and CICSplex management. Not all view groups
are appropriate for all users. Certain groups of users will need to
use only a subset of views. For example, the systems programming
group might need to work with all views, while the help desk group
might only need to use one or two. The view groups are listed vertically
on the left side of the matrix, along with the high-level qualifier
of their CICSPlex SM resource
names.
- What type of access does each RACF group
need?
- After deciding who needs to use what, stop universal
access to all of the objects managed by all of the views. You can
then selectively permit read, update, or alter access to specific
view groups. To complete the matrix, specify READ, UPDATE, or ALTER
access for each RACF group that needs access to a group of views:

- Specify READ access to allow a user to inquire on a resource.
- Specify UPDATE access to allow a user to change a value, using
the SET or UPDATE command, or perform an action. The user can also
create or remove a definition, such as a BAS resource object.
- Specify ALTER access to allow a user to discard an installed resource
from CICS and allow a user to install a BAS resource object.
- Which CICSPlex SM Web
User Interface views, menus will each group need access to?
- Web User Interface views and menus are usually user-defined but
like Web User Interface views are most likely grouped by functionality.
Not all view sets and menus are appropriate for all users. Certain
groups of users require access to a subset of views. For example,
the systems programming group might require access to all views and
to the View Editor, while the help desk group might not need to use
the View Editor or those views that manage the definition of CICSPlex SM resources.
- Fill out the security matrix when you have answered the
questions:
Table 1. Security matrixRACF group →
CICSPlex SM view group ↓
|
System
Programming
ID( )
|
Operations
ID( )
|
Help Desk
ID( )
|
Application
Programming
ID( )
|
Performance
ID( )
|
Configuration
CONFIG
|
|
|
|
|
|
Topology
TOPOLOGY
|
|
|
|
|
|
Workload Management
WORKLOAD
|
|
|
|
|
|
Real-Time Analysis
ANALYSIS
|
|
|
|
|
|
Operations
OPERATE
|
|
|
|
|
|
Monitor
MONITOR
|
|
|
|
|
|
Business Application Services
BAS
|
|
|
|
|
|
PlexManager
BBM.PLEXMGR
|
|
|
|
|
|
Table 2 is
a sample of a completed security matrix for a production CICSplex:
Table 2. Sample security matrixRACF group →
CICSPlex SM view group ↓
|
System
Programming
ID(SYSPGRP)
|
Operations
ID(OPSGRP)
|
Help Desk
ID(HELPGRP)
|
Application
Programming
ID(APPLGRP)
|
Performance
ID(PERFGRP)
|
Configuration
CONFIG
|
UPDATE |
|
|
|
|
Topology
TOPOLOGY
|
UPDATE |
UPDATE |
READ |
|
|
Workload Management
WORKLOAD
|
UPDATE |
|
|
READ |
|
Real-Time Analysis
ANALYSIS
|
UPDATE |
UPDATE |
READ |
|
READ |
Operations
OPERATE
|
ALTER |
UPDATE |
READ |
READ |
READ |
Monitor
MONITOR
|
UPDATE |
READ |
|
|
READ |
Business Application Services
BAS
|
ALTER |
ALTER |
|
UPDATE |
|
PlexManager
BBM.PLEXMGR
|
UPDATE |
|
|
|
|
- Ensure that the CPSMOBJ class is active and that generic
profiles can be defined:
SETROPTS CLASSACT(CPSMOBJ)
SETROPTS GENERIC(CPSMOBJ)
SETROPTS GENCMD(CPSMOBJ)
- Create RACF profile to protect all of the views and action
commands for all CICSPlex SM functions:
RDEF CPSMOBJ ** UACC(NONE) OWNER(admin_group) NOTIFY(admin_user)
CPSMOBJ
is the CICSPlex SM member
class. The double asterisks indicate that all of the CICSPlex SM views
are included in this RDEF statement.
- Using the information in the sample matrix, you can permit
access to the specific view groups. For example, the
system programming group requires update access to all of the view
groups and ALTER access to the BAS views. You can define this with
just three PERMIT statements:
PERMIT ** CLASS(CPSMOBJ) ID(SYSPGRP) ACCESS(UPDATE)
PERMIT BBM.PLEXMGR.** CLASS(FACILITY) ID(SYSPGRP) ACCESS(UPDATE)
PERMIT BAS.** CLASS(CPSMOBJ) ID(SYSPGRP) ACCESS(ALTER)
The
double asterisks indicate that all of the CICSPlex SM views
are affected by this PERMIT statement.The following PERMIT statements
grant the appropriate access to all of the topology views for the
operations and help desk groups:
PERMIT TOPOLOGY.** CLASS(CPSMOBJ) ID(OPSGRP) ACCESS(UPDATE)
PERMIT TOPOLOGY.** CLASS(CPSMOBJ) ID(HELPGRP) ACCESS(READ)
For
the workload management views:
PERMIT WORKLOAD.** CLASS(CPSMOBJ) ID(APPLGRP) ACCESS(READ)
For
the real-time analysis views:
PERMIT ANALYSIS.** CLASS(CPSMOBJ) ID(OPSGRP) ACCESS(UPDATE)
PERMIT ANALYSIS.** CLASS(CPSMOBJ) ID(HELPGRP) ACCESS(READ)
PERMIT ANALYSIS.** CLASS(CPSMOBJ) ID(PERFGRP) ACCESS(READ)
For
the operations views:
PERMIT OPERATE.** CLASS(CPSMOBJ) ID(OPSGRP) ACCESS(UPDATE)
PERMIT OPERATE.** CLASS(CPSMOBJ) ID(HELPGRP) ACCESS(READ)
PERMIT OPERATE.** CLASS(CPSMOBJ) ID(APPLGRP) ACCESS(READ)
PERMIT OPERATE.** CLASS(CPSMOBJ) ID(PERFGRP) ACCESS(READ)
For
the monitor views:
PERMIT MONITOR.** CLASS(CPSMOBJ) ID(APPLGRP) ACCESS(READ)
PERMIT MONITOR.** CLASS(CPSMOBJ) ID(PERFGRP) ACCESS(READ)
For
the business application services views:
PERMIT BAS.** CLASS(CPSMOBJ) ID(OPSGRP) ACCESS(ALTER)
PERMIT BAS.** CLASS(CPSMOBJ) ID(APPLGRP) ACCESS(UPDATE)
For simplicity, these PERMIT statements grant access to broad
groups of views by using the double asterisks in the resource names.
However, if required, you can use more specific resource names in
your PERMIT statements. See
Specifying CICSPlex SM resource names in profiles for
details.
Using your own completed security matrix and the information
in the remainder of this section, you can create as many profiles
as required for your enterprise. Example tasks: security provides
detailed profile examples.