You can define your own resource classes so that you have a unique resource
class name for each CICS® region. Defining your own resource class names can
have the following benefits:
- Controlling access from other regions
- You can prevent users running in one CICS region from accessing the
resources of other CICS regions that have different class names specified.
(You can also do this by using prefixing; see the description of the SECPRFX
parameter in Security-related system initialization parameters.)
- Group administrator for each region
For each CICS region with installation-defined classes, you can authorize
a different group administrator to create profiles to be used by that region.
To get this benefit, define the installation-defined classes with a
POSIT number other than 5 (the POSIT number of the IBM®-supplied CICS
classes). Then give the group administrator the CLAUTH (class authority) for
at least one of those classes.
Use the SETROPTS GENERIC command before defining
generic profiles, as described in Summary of RACF commands.
With prefixing
active, you can also assign different administrators without fear of conflict.
To do this, create a generic profile in each class, using the prefix as a
high-level qualifier. For example:
RDEFINE TCICSTRN cics_region_id.** UACC(NONE)
OWNER(cics_region_administrator_userid)
The administrator
specified as the OWNER of each such profile can create and maintain more specific
profiles. The other administrators cannot do so.
Note: If you
are running CICS with XRF, think of the active CICS and its alternate as one
CICS system as far as RACF is concerned, and define the same resource class names
to both the active and alternate CICS region.