Security Considerations

User authentication and authorization to browse and manipulate individual host resources is controlled by an existing external security manager (ESM), such as RACF®.

CICS® Transaction Server for z/OS® Installation Guide provides more information about the security accesses required by the various user IDs.

Running your Web User Interface server with security active

If the Web User Interface server is running with the CICS system initialization parameter SEC=YES, you can control who can access the Web User Interface, what resources they can see, what actions they can perform, and the use of the View Editor. If you have already set up CICSPlex® SM security for use with the TSO EUI and CICSPlex SM API, users have the same level of access via the Web User Interface as through the EUI and API.

When you attempt to connect to a Web User Interface server, the CICSPlex SM Web User Interface Signon Panel is displayed. The user ID and password entered in this panel are passed to the Web User Interface server, in plain text over the TCP/IP connection unless you are using SSL support, and then verified by the external security manager. If the external security manager supports mixed case passwords, and this is active, an icon will appear next to the password field when you sign on.

All users who are successfully signed on to the Web User Interface have access to all of the customizable view and menu help pages, if the customizable view and menu help is served by the Web User Interface.

To control who is allowed to sign onto the Web User Interface server, you can protect the Web User Interface CICS applid via RACF APPL checking. See CICS RACF Security Guide for details.

Access to managed resources uses standard CICSPlex SM security using profiles in the CPSMOBJ class (see the CICS RACF Security Guide). For example, to see a CICS region view, the Web User Interface user needs READ authority via the CPSMOBJ class profile OPERATE.REGION.context.scope.

Access to CICS resources and actions upon resources within a view uses CICSPlex SM's simulated CICS security checking (see the CICS RACF Security Guide) which uses the normal CICS RACF resource and command security profiles. For example, to issue the shutdown action against a CICS region, the Web User Interface user would need UPDATE authority to the SHUTDOWN command in the CCICSCMD class, if command security is active in the target CICS region.

Controlling access to Web User Interface resources

You can use your external security manager to control user access to views, menus, help information and the View Editor. The navigation frame is exempt from security checks. In order to control user access you need to create the appropriate profiles in the FACILITY class. The following ESM FACILITY profiles are available:

EYUWUI.wui_server_applid.VIEW.viewsetname
-- used to protect view sets.
EYUWUI.wui_server_applid.MENU.menuname
-- used to protect menus
EYUWUI.wui_server_applid.HELP.helpmembername
-- used to protect help pages.
EYUWUI.wui_server_applid.EDITOR.
-- used to protect the View Editor..

where wui_server_applid is the CICS APPLID of the server.

Users can be given read or update access to views and menus:

If the ESM that you are using, neither grants nor refuses access to a profile (for example, if no RACF profile is defined), all users who are successfully signed on to the Web User Interface have access to the resources. You can make not authorized the default by setting up a generic profile.

Note:
This security is designed to protect the views and menus themselves and not the objects they manage, which is covered by normal CICSPlex SM security.

When selecting a view set or menu to edit or delete within the view editor, only items for which you have update access are listed. However, when selecting a view-set to copy, all items for which you have read access are shown. This allows you to copy any object for which you have read only access to a private copy in your updateable name space.

When browsing for views that are accessible, no security exceptions are logged. Users are presented with a list that has been filtered to remove the views that are not accessible. However, when a user attempts an unauthorized action; for example creating a view in a denied name space, the EYULOG security exception message EYUVS1100E is issued.

Examples

The following examples use the RACF TSO command syntax and assume that the default CICS RACF classes and no security prefixing is in use. This is not the only way that suitable profiles can be defined. These examples can be adapted to suit the installations requirements and standards.

In the examples, lower case strings should be replaced with the appropriate use ID or resource.

Running your Web User Interface server with security not active

If the Web User Interface server is running with the CICS system initialization parameter SEC=NO, users of the Web User Interface must provide a user ID which is used to identify 'sessions' in the COVC transaction, but are not required to provide a password. The user ID does not need to be defined to the ESM. Access checking of access to views, and CICS resources are based on the DFLTUSER for the Web User Interface server CICS region. All Web User Interface users have access to the View Editor and all menus, view sets and help members.

[[ Contents Previous Page | Next Page Index ]]