DBCTL views all the resources that can be accessed by one particular CICS® system or BMP as a single entity. Resources in this context means one or more PSBs. The set of PSBs that one CICS or BMP can access are grouped together in an entity called an application group. Each application group has a name--its AGN, and the AGNs are defined in matrix data sets.
Application groups, and the names of the resources within those groups, are placed in tables in DBCTL’s security matrix data set(s) using the IMS™ security maintenance utility. You can use the IMS online change facility to bring new security tables online.
The AGN that CICS intends to use is specified in the DRA startup table referenced by CICS when it attempts to connect to DBCTL. You can assign the same AGN to different CICS systems, if you need to.
DBCTL resource access security checking provides the following:
When CICS or a BMP connects to DBCTL, DBCTL initiates a check to find out if CICS or the BMP is authorized. The check is carried out either by RACF® in conjunction with DBCTL or by a user exit routine (DFSISIS0):
This check has two parts:
If you use DBCTL connect-time checking, you must also use DBCTL PSB schedule-time checking. That is, you can use both of these checks, or neither, but you cannot use only one of them.
See the IMS System Administration Guide or the IMS Administration Guide: System for guidance on specifying security, and the IMS Utilities Reference: Database manual manual for guidance on the security maintenance utility.
This is completely unrelated to and independent of the PSB authorization checking by CICS, which is described in PSB authorization checking by CICS.
This check is carried out by DBCTL and involves verifying that the PSB belongs to the AGN specified during the connection process.
Figure 34 summarizes the relationships between AGNs, PSBs, and the DBCTL ID in security checking.
The two levels of security mean that if a new PSB is introduced, there are two kinds of table that you must update:
If the AGN is changed in the DRA startup parameter table, update the following tables:
You specify the kind of security checking you want by using either the DBCTL system generation macro SECURITY or the DBCTL startup parameter ISIS. See the IMS System Definition Reference manual manual or IMS Installation Volume 2: System Definition and Tailoring for further guidance on this parameter.
For guidance on the RACF aspects of implementing DBCTL security, see the Resource Access Control Facility (RACF) Security Administrator’s Guide.