There is no facility within CICS® for controlling LOGSTRM security checks. This is controlled by the MVS™ security administrator activating the LOGSTRM and FACILITY general resource classes by means of the SETROPTS command.
Users of the IXCMIAPU administrative data utility and CICS regions both require appropriate authorizations to log streams and IXLSTR coupling facility structures.
You create log structures and define log streams using the IXCMIAPU administrative data utility to update the LOGR data set. To do this, your userid needs the appropriate level of authorization, as shown in the following examples:
PERMIT MVSADMIN.LOGR CLASS(FACILITY) ACCESS(ALTER) ID(your_userid)
RDEFINE LOGSTRM log_stream_profile UACC(NONE) [NOTIFY]
RDEFINE FACILITY IXLSTR.structure_name_a UACC(NONE) [NOTIFY]
use
the following RACF commands to give your userid the required
authorizations to these two profiles:
PERMIT log_stream_profile CLASS(LOGSTRM) ACCESS(ALTER) ID(your_userid)
PERMIT IXLSTR.structure_name_a CLASS(FACILITY) ACCESS(UPDATE) ID(your_userid)
If the LOGSTRM resource class is active, the level of authorization required depends on whether log streams are always explicitly defined to the MVS system logger.
Ensure that the CICS region userid is authorized to write to (and create if necessary) the log streams that are used for its system log and general logs (see Defining the logger environment for CICS journaling.) You do this by granting the appropriate access authorization to log stream profiles in the RACF LOGSTRM general resource class:
PERMIT region_userid.applid.* CLASS(LOGSTRM) ACCESS(ALTER)
ID(region_userid)
PERMIT IXLSTR.structurename CLASS(FACILITY) ACCESS(UPDATE)
ID(region_userid)
PERMIT region_userid.applid* CLASS(LOGSTRM) ACCESS(UPDATE)
ID(region_userid)
Permit READ access to those users who need to read the CICS log streams. You must permit UPDATE access to those users who need to update journals by granting the user the appropriate authority to the log stream (in the LOGSTRM resource class) and to the JOURNALNAME (in the JCICSJCT class).
The generic profile in the following example could be defined to cover all the log streams referenced by the CICS region identified by its region userid and applid:
RDEFINE LOGSTRM region_userid.** UACC(NONE)
If, however, you have multiple CICS systems sharing the same region userid, but with differing security requirements, include the applid in the generic profile, as follows:
RDEFINE LOGSTRM region_userid.applid.* UACC(NONE)
The following example allows the CICS region userid under which CICS is running to write journal and log records to log streams in the named coupling facility structure:
PERMIT IXLSTR.structurename CLASS(FACILITY) ACCESS(UPDATE)
ID(region_userid)
The following examples give access to two categories of user:
PERMIT region_userid.applid.* CLASS(LOGSTRM) ACCESS(READ)
ID(authorized_browsers)
PERMIT region_userid.applid* CLASS(LOGSTRM) ACCESS(UPDATE)
ID(archive_userid)
In these examples, archive_userid is the userid under which an application program runs to purge old data from CICS logs when the data is no longer needed, and authorized_browsers refers to the userids of users allowed to read log streams, but cannot purge data.
If several CICS regions share the same CICS region userid, you can make profiles more generic by specifying * for the applid qualifier.
The number of profiles you define depends on the naming conventions of the logs, and to what extent you can use generic profiling.
[[ Contents Previous Page | Next Page Index ]]