Resource access security checking by DBCTL

DBCTL views all the resources that can be accessed by one particular CICS® system or BMP as a single entity. Resources in this context means one or more PSBs. The set of PSBs that one CICS or BMP can access are grouped together in an entity called an application group. Each application group has a name--its AGN, and the AGNs are defined in matrix data sets.

Application groups, and the names of the resources within those groups, are placed in tables in DBCTL’s security matrix data set(s) using the IMS™ security maintenance utility. You can use the IMS online change facility to bring new security tables online.

The AGN that CICS intends to use is specified in the DRA startup table referenced by CICS when it attempts to connect to DBCTL. You can assign the same AGN to different CICS systems, if you need to.

DBCTL resource access security checking provides the following:

Relationships between AGNs, PSBs, and DBCTL ID in security checking

Figure 34 summarizes the relationships between AGNs, PSBs, and the DBCTL ID in security checking.

Figure 34. Relationships between AGNs, PSBs and DBCTL ID in security checking
 In this example, two CICS systems, CICS A and CICS B, and a BMP, can access various PSBs. CICS A can access PSB1 and PSB2, and CICS B can access PSB2 and PSB3. The BMP can access PSB4. The PSBs that can be accessed by each CICS system and by the BMP are grouped together in application groups, each with a name, the AGN. The application group names are in the AGN= parameter in the DRA startup table (for CICS), or the JOB EXEC parameters for the BMP. The AGN for the resources that CICS A can access is AGN01; for CICS B it is AGN02; and for the BMP it is AGN03. Therefore AGN01 contains PSB1 and PSB2; AGN02 contains PSB2 and PSB3; and AGN03 contains PSB4. When the CICS systems or the BMP try to connect to DBCTL, they supply DBCTL with the AGN that they use. So CICS A uses the name AGN01 when it tries to connect to DBCTL. At connect time, either RACF with DBCTL, or the user exit routine DFSISIS, checks that the userid making the request is authorized to access that AGN. This is the first level of resource access security provided by DBCTL. The second level of resource access security happens at PSB schedule time. DBCTL checks that the PSB that has been requested does actually belong to the AGN that was specified during the connect request. So if the AGN was AGN01, PSB1 and PSB2, the members of that application group, will be allowed; if it was AGN02, PSB2 and PSB3 will be allowed; and if it was AGN04, PSB3 will be allowed.

The two levels of security mean that if a new PSB is introduced, there are two kinds of table that you must update:

If the AGN is changed in the DRA startup parameter table, update the following tables:

Parameters for DBCTL resource access security

You specify the kind of security checking you want by using either the DBCTL system generation macro SECURITY or the DBCTL startup parameter ISIS. See the IMS System Definition Reference manual manual or IMS Installation Volume 2: System Definition and Tailoring for further guidance on this parameter.

For guidance on the RACF aspects of implementing DBCTL security, see the Resource Access Control Facility (RACF) Security Administrator’s Guide.

Related concepts
Security checking with DBCTL
PSB authorization checking by CICS
DBCTL password security checking
Migration considerations for security with DBCTL
[[ Contents Previous Page | Next Page Index ]]