Authorizing access to MVS log streams

There is no facility within CICS® for controlling LOGSTRM security checks. This is controlled by the MVS™ security administrator activating the LOGSTRM and FACILITY general resource classes by means of the SETROPTS command.

Users of the IXCMIAPU administrative data utility and CICS regions both require appropriate authorizations to log streams and IXLSTR coupling facility structures.

Authorizations for users of IXCMIAPU

You create log structures and define log streams using the IXCMIAPU administrative data utility to update the LOGR data set. To do this, your userid needs the appropriate level of authorization, as shown in the following examples:

Coupling facility structures
To define and delete log structures using IXCMIAPU, you need ALTER access to the LOGR resource profile named MVSADMIN.LOGR in the FACILITY general resource class. For example, use the following RACF® command:
PERMIT MVSADMIN.LOGR CLASS(FACILITY) ACCESS(ALTER) ID(your_userid)
Coupling facility log streams
To define, delete, and update log streams (including log stream models) that are defined in coupling facility structures, you need: For example, if the log stream and structure resource profiles are defined to RACF with the following commands:
RDEFINE LOGSTRM log_stream_profile  UACC(NONE)  [NOTIFY]
RDEFINE FACILITY IXLSTR.structure_name_a  UACC(NONE)  [NOTIFY]
use the following RACF commands to give your userid the required authorizations to these two profiles:
PERMIT log_stream_profile  CLASS(LOGSTRM) ACCESS(ALTER) ID(your_userid)
PERMIT IXLSTR.structure_name_a CLASS(FACILITY) ACCESS(UPDATE) ID(your_userid)

Authorizations for CICS regions

If the LOGSTRM resource class is active, the level of authorization required depends on whether log streams are always explicitly defined to the MVS system logger.

Ensure that the CICS region userid is authorized to write to (and create if necessary) the log streams that are used for its system log and general logs (see Defining the logger environment for CICS journaling.) You do this by granting the appropriate access authorization to log stream profiles in the RACF LOGSTRM general resource class:

Note:
In the above examples, region_userid.applid.* is the generic profile name of the log stream resource. These examples illustrate a resource name prefixed by the region userid and applid. region_userid is the CICS region userid under which CICS is running, either as a started task or batch job.

Permit READ access to those users who need to read the CICS log streams. You must permit UPDATE access to those users who need to update journals by granting the user the appropriate authority to the log stream (in the LOGSTRM resource class) and to the JOURNALNAME (in the JCICSJCT class).

The generic profile in the following example could be defined to cover all the log streams referenced by the CICS region identified by its region userid and applid:

RDEFINE LOGSTRM region_userid.** UACC(NONE)

If, however, you have multiple CICS systems sharing the same region userid, but with differing security requirements, include the applid in the generic profile, as follows:

RDEFINE LOGSTRM region_userid.applid.* UACC(NONE)

The following example allows the CICS region userid under which CICS is running to write journal and log records to log streams in the named coupling facility structure:

PERMIT IXLSTR.structurename CLASS(FACILITY) ACCESS(UPDATE)
       ID(region_userid)

The following examples give access to two categories of user:

PERMIT region_userid.applid.* CLASS(LOGSTRM) ACCESS(READ)
       ID(authorized_browsers)
PERMIT region_userid.applid* CLASS(LOGSTRM) ACCESS(UPDATE)
       ID(archive_userid)

In these examples, archive_userid is the userid under which an application program runs to purge old data from CICS logs when the data is no longer needed, and authorized_browsers refers to the userids of users allowed to read log streams, but cannot purge data.

If several CICS regions share the same CICS region userid, you can make profiles more generic by specifying * for the applid qualifier.

The number of profiles you define depends on the naming conventions of the logs, and to what extent you can use generic profiling.

[[ Contents Previous Page | Next Page Index ]]