CICSPlex® SM uses a SAF-compliant external security manager, such as RACF®:
In both cases, security checking is handled by the CMASs managing the CICS systems that are the target of any request to access a resource. For example, if a CICSplex is managed by two CMASs, and a request is made to access a resource in all CICS systems belonging to that CICSplex, the security check is performed in both CMASs.
To activate security checking, you must modify the JCL used to start the CMAS or its managed CICS systems. If security checking is switched off for the CICS system, no checking occurs, regardless of the CMAS setting. However, if security checking is switched off for the CMAS but switched on for the CICS system, the CICS system is not able to connect to the CMAS.
You should begin by deciding how much security checking you need. In particular, identify those users who need access to CICSPlex SM, and ensure that an individual user has the same user ID across all systems on which a CMAS is installed. The user ID against which the security check is performed is the signed-on TSO user ID. Consider also the type of security checking you want to implement.
To prevent unauthorized access, you create security profiles for combinations of CICSPlex SM functions, and to CICS resources that are to be protected. A table of valid combinations is provided in CICS RACF Security Guide.
In most cases, the security provided by these CICSPlex SM security profiles is adequate.
An external security manager is also used to protect CICSPlex SM’s own libraries, procedures and Web User Interface resources. Full details of how to protect CICSPlex SM’s libraries and procedures are provided in CICS RACF Security Guide. In order to protect Web User Interface views, menus, help information and the View Editor you need to create an approptiate profile in the FACILITY class. See the CICSPlex System Manager Web User Interface Guide for more information.
You should be aware of the need to take special care in the protection of the BAS views, so that unauthorized users cannot create and administer resources. The equivalent in RDO terms is leaving your CSD unprotected.
You should also take care if you are using the EXEC CICS CREATE command to build new resources. Any definition created with the CICSplex as the context is automatically distributed to all CMASs in the CICSplex. Therefore, giving a user authority to create BAS objects is equivalent to giving authority to install resources on any CICS system in the CICSplex. When the CICS system starts, there is no check on who installed the resource in the system.
CICS command and resource checking is simulated by CICSPlex SM in the CMASs to which a request is directed. This allows you to protect CICS systems that do not support your external security manager. It also allows for a level of consolidation of your security checking. Determine where CICS resource and command checking is in effect, and decide whether it needs to be retained along with CICSPlex SM’s other security checking.
[[ Contents Previous Page | Next Page Index ]]