CICS resources subject to command security checking

For transaction and resource security checking, you identify the resources to RACF® using the identifiers you have assigned to them, such as file names, queue names, transaction names, and so on. However, in the case of command security, the resource identifiers are all predefined by CICS®, and you use these predefined names when defining resource profiles to RACF. The full list of resource identifiers that are subject to command security checking, together with the associated commands, is shown in Table 1. Note that most of these commands are common to both the CEMT and EXEC CICS interfaces; where they are unique to one or the other they are prefaced with CEMT, or EXEC CICS, as appropriate.

Table 1. CICS resources subject to command security checking
Resource name (see note 1) Related CICS command(s)
AUTINSTMODEL

INQUIRE AUTINSTMODEL
DISCARD AUTINSTMODEL

AUTOINSTALL

INQUIRE AUTOINSTALL
SET AUTOINSTALL

BEAN INQUIRE BEAN
BRFACILITY

INQUIRE BRFACILITY
SET BRFACILITY

CFDTPOOL INQUIRE CFDTPOOL
CLASSCACHE

INQUIRE CLASSCACHE
PERFORM CLASSCACHE
SET CLASSCACHE

CONNECTION

INQUIRE CONNECTION
SET CONNECTION
CREATE CONNECTION
DISCARD CONNECTION

CORBASERVER

INQUIRE CORBASERVER
SET CORBASERVER
CREATE CORBASERVER
DISCARD CORBASERVER
PERFORM CORBASERVER

DB2CONN

INQUIRE DB2CONN
SET DB2CONN
CREATE DB2CONN
DISCARD DB2CONN

DB2ENTRY

INQUIRE DB2ENTRY
SET DB2ENTRY
CREATE DB2ENTRY
DISCARD DB2ENTRY

DB2TRAN

INQUIRE DB2TRAN
SET DB2TRAN
CREATE DB2TRAN
DISCARD DB2TRAN

DELETSHIPPED

INQUIRE DELETSHIPPED
SET DELETSHIPPED
PERFORM DELETSHIPPED

DISPATCHER

INQUIRE DISPATCHER
SET DISPATCHER

DJAR

INQUIRE DJAR
CREATE DJAR
DISCARD DJAR
PERFORM DJAR

Note: ALTER access to the associated DJAR resource is required for the PERFORM CORBASERVER SCAN command.
DOCTEMPLATE

INQUIRE DOCTEMPLATE

DSNAME

INQUIRE DSNAME
SET DSNAME

DUMP

PERFORM DUMP
CEMT PERFORM SNAP

DUMPDS

INQUIRE DUMPDS
SET DUMPDS

ENQMODEL

INQUIRE ENQMODEL
SET ENQMODEL
CREATE ENQMODEL

Start of changeEXCIEnd of change Start of changeINQUIRE EXCIEnd of change
EXITPROGRAM

EXEC CICS ENABLE PROGRAM
EXEC CICS DISABLE PROGRAM
EXEC CICS EXTRACT EXIT
EXEC CICS RESYNC ENTRYNAME
INQUIRE EXITPROGRAM

FEPIRESOURCE Certain EXEC CICS FEPI commands (see note 3)
FILE

INQUIRE FILE
SET FILE
CREATE FILE
DISCARD FILE

Start of changeHOSTEnd of change Start of change

INQUIRE HOST
SET HOST

End of change
IRC

INQUIRE IRC
SET IRC

JOURNALMODEL

EXEC CICS INQUIRE JOURNALMODEL
EXEC CICS CREATE JOURNALMODEL
EXEC CICS DISCARD JOURNALMODEL
CEMT INQUIRE JMODEL

Start of changeJOURNALNAMEEnd of change Start of change

INQUIRE JOURNALNAME
SET JOURNALNAME

End of change
JVM

INQUIRE JVM

JVMPOOL

INQUIRE JVMPOOL
SET JVMPOOL

JVMPROFILE

INQUIRE JVMPROFILE

LINE

CEMT INQUIRE LINE
CEMT SET LINE

LSRPOOL

CREATE LSRPOOL

MAPSET

CREATE MAPSET
DISCARD MAPSET

MODENAME

INQUIRE MODENAME
SET MODENAME

MONITOR

INQUIRE MONITOR
SET MONITOR

Start of changeMVSTCBEnd of change Start of change

COLLECT STATISTICS
INQUIRE MVSTCB

End of change
PARTITIONSET

CREATE PARTITIONSET
DISCARD PARTITIONSET

PARTNER

INQUIRE PARTNER
CREATE PARTNER
DISCARD PARTNER

Start of changePIPELINEEnd of change Start of change

CREATE PIPELINE
DISCARD PIPELINE
INQUIRE PIPELINE
PERFORM PIPELINE
SET PIPELINE

End of change
PROCESSTYPE

CEMT DEFINE PROCESSTYPE
EXEC CICS CREATE PROCESSTYPE
EXEC CICS DISCARD PROCESSTYPE
CEMT INQUIRE PROCESSTYPE
CEMT SET PROCESSTYPE

PROFILE

INQUIRE PROFILE
CREATE PROFILE
DISCARD PROFILE

PROGRAM

INQUIRE PROGRAM
SET PROGRAM
CREATE PROGRAM
DISCARD PROGRAM

REQID

EXEC CICS INQUIRE REQID

RESETTIME

PERFORM RESETTIME (see note 4)

REQUESTMODEL

INQUIRE REQUESTMODEL

RRMS INQUIRE RRMS
SECURITY PERFORM SECURITY REBUILD
SESSIONS

CREATE SESSIONS
DISCARD SESSIONS

SHUTDOWN PERFORM SHUTDOWN (see note 2)
STATISTICS

INQUIRE STATISTICS
SET STATISTICS
EXEC CICS COLLECT STATISTICS
Start of changeEXEC CICS EXTRACT STATISTICSEnd of change
EXEC CICS PERFORM STATISTICS RECORD

STORAGE

INQUIRE STORAGE

STREAMNAME

INQUIRE STREAMNAME

SUBPOOL INQUIRE SUBPOOL
SYSDUMPCODE

INQUIRE SYSDUMPCODE (see note 4)
SET SYSDUMPCODE (see note 4)

SYSTEM

INQUIRE SYSTEM
SET SYSTEM

TASK

INQUIRE TASK
INQUIRE TASK LIST
SET TASK LIST

TCLASS

INQUIRE TCLASS
SET TCLASS
DISCARD TCLASS
INQUIRE TRANCLASS
SET TRANCLASS
CREATE TRANCLASS
DISCARD TRANCLASS

TCPIP

INQUIRE TCPIP
SET TCPIP

TCPIPSERVICE

INQUIRE TCPIPSERVICE
SET TCPIPSERVICE
CREATE TCPIPSERVICE
DISCARD TCPIPSERVICE

TDQUEUE

INQUIRE TDQUEUE
SET TDQUEUE
CREATE TDQUEUE
DISCARD TDQUEUE

TERMINAL

INQUIRE TERMINAL
SET TERMINAL
CREATE TERMINAL
DISCARD TERMINAL
INQUIRE NETNAME
SET NETNAME

TRACEDEST

EXEC CICS INQUIRE TRACEDEST
EXEC CICS SET TRACEDEST

TRACEFLAG

EXEC CICS INQUIRE TRACEFLAG
EXEC CICS SET TRACEFLAG

TRACETYPE

EXEC CICS INQUIRE TRACETYPE
EXEC CICS SET TRACETYPE

TRANDUMPCODE

INQUIRE TRANDUMPCODE (see note 4)
SET TRANDUMPCODE (see note 4)

TRANSACTION

INQUIRE TRANSACTION
SET TRANSACTION
CREATE TRANSACTION
DISCARD TRANSACTION

TSMODEL

INQUIRE TSMODEL
CREATE TSMODEL
DISCARD TSMODEL

TSPOOL

INQUIRE TSPOOL

TSQUEUE

EXEC CICS INQUIRE TSQUEUE

TSQNAME

INQUIRE TSQNAME
SET TSQNAME

TYPETERM

CREATE TYPETERM
DISCARD TYPETERM

UOW

INQUIRE UOW
SET UOW

UOWDSNFAIL

INQUIRE UOWDSNFAIL

UOWENQ

INQUIRE UOWENQ

UOWLINK

INQUIRE UOWLINK
EXEC CICS SET UOWLINK

Start of changeURIMAPEnd of change Start of change

INQUIRE URIMAP
SET URIMAP
CREATE URIMAP
DISCARD URIMAP

End of change
VTAM®

INQUIRE VTAM
SET VTAM

WEB

INQUIRE WEB
SET WEB

Start of changeWEBSERVICEEnd of change Start of change

CREATE WEBSERVICE
DISCARD WEBSERVICE
INQUIRE WEBSERVICE
SET WEBSERVICE

End of change
WORKREQUEST

INQUIRE WORKREQUEST
SET WORKREQUEST

Note:
  1. If you are using prefixing, the CICS region userid must be prefixed to the command resource name.
  2. Be particularly cautious when authorizing access to these and any other CICS commands that include a SHUTDOWN option.
  3. For more information about FEPI security, see the CICS Front End Programming Interface User's Guide.
  4. See CEMT considerations.

If you are running CICS with command security, define resource profiles to RACF, with access lists as appropriate, using the resource names in Table 1 as the profile names. Alternatively, you can create resource group profiles in the VCICSCMD class.

In the following example, the RDEFINE command defines a profile named CMDSAMP. The commands protected by this profile are specified on the ADDMEM operand. The PERMIT command allows a group of users to issue the commands for INQUIRE:
RDEFINE  VCICSCMD CMDSAMP UACC(NONE)
                  NOTIFY(sys_admin_userid)
                  ADDMEM(AUTINSTMODEL, AUTOINSTALL, CONNECTION,
                         DSNAME, TRANSACTION, TRANDUMPCODE, VTAM)
PERMIT CMDSAMP CLASS(VCICSCMD) ID(operator_group) ACCESS(READ)
The second example defines a profile called CMDSAMP1 with the same commands in the ADDMEM operand, as in the previous example. The PERMIT command allows a group of users to issue PERFORM, SET, and DISCARD against these commands:
RDEFINE  VCICSCMD CMDSAMP1 UACC(NONE)
                  NOTIFY(sys_admin_userid)
                  ADDMEM(AUTINSTMODEL, AUTOINSTALL, CONNECTION,
                         DSNAME, TRANSACTION, TRANDUMPCODE, VTAM)
PERMIT CMDSAMP1 CLASS(VCICSCMD) ID(op_group_2) ACCESS(UPDATE)

If you are running CICS with SEC=YES, users require the access levels shown in Table 1.