As CICS® security administrator, you perform the following tasks (if you
do not have the system-SPECIAL attribute, obtain the necessary authority):
- Define and maintain profiles in CICS-related general
resource classes. In general, you grant authority to do this by assigning
a user the CLAUTH (class authority) attribute in the specified classes. For
example, the RACF® security administrator could issue the following command:
ALTUSER your_userid CLAUTH(TCICSTRN)
The above command gives access
to all classes of the same POSIT number. The POSIT number is an operand of
the ICHERCDE macro of the class descriptor table (CDT). For more information, see Activating the CICS classes.
- Define and maintain profiles in other resource classes. Many of the general resource classes mentioned in this book (such as
APPL, APPCLU, FACILITY, OPERCMDS, SURROGAT, TERMINAL, and VTAMAPPL) affect
the operation of products other than CICS. If you are not the RACF security
administrator, you may need to ask that person to define profiles at your
request.
- Add RACF user profiles to the system. In general, you grant this authority
by assigning the CLAUTH (class authority) attribute for “USER” in
the user's profile. For example, the RACF security administrator could
issue the following command:
ALTUSER your_userid CLAUTH(USER)
Whenever you add a user to the system, assign that user a default connect
group. This changes the membership of the group (by adding the user as a member
of the group). Therefore, if you have JOIN group authority in a group, the
group-SPECIAL attribute in a group, or are OWNER of a group, CLAUTH(USER)
lets you add users to the system and connect them to groups that are within
the scope of the group.
- List RACF system-wide settings and work with all profiles
related to CICS. You grant authority to do this by setting up a RACF
group, ensuring that certain CICS-related RACF profiles are in the scope of
that group, and connecting a user to the group with the group-SPECIAL attribute.
For example, the RACF security administrator could issue the following command:
CONNECT your_userid GROUP(applicable-RACF_groupid) SPECIAL
With the SETROPTS GENERICOWNER command in effect and with prefixing active,
administrators can be assigned. You do this by creating a generic profile
in each class using the prefix as a high-level qualifier. For example:
RDEFINE TCICSTRN cics_region_id.** UACC(NONE)
OWNER(cics_region_administrator_userid)
The SETROPTS GENERIC command must be used before defining generic profiles,
as described in Summary of RACF commands.
For more information on delegating RACF administration, see the z/OS Security Server RACF Security Administrator's Guide .