Security keys for API commands

Here is the format of the security key that the CICS® Configuration Manager server creates to check a user's authority to perform an API command:

Figure 1. Security key that CICS Configuration Manager creates to check whether a user is authorized to perform an API command
Read syntax diagramSkip visual syntax diagram
                                   (1)                                                           
>>-prefix--.--+-LIS.-+-object_type-----+-.location_type.-+-location_name-+-------------------+-><
              |      '-ALL-------------'                 +-ALL-----------+                   |   
              |                                          '-NONE----------'                   |   
              +-+-ADD-----------------------------+-.object_type.location_type.location_name-+   
              | +-Start of changeALTEnd of change-+                                          |   
              | |     (2)                         |                                          |   
              | +-CPY-----------------------------+                                          |   
              | +-DIO-----------------------------+                                          |   
              | +-INO-----------------------------+                                          |   
              | +-NEO-----------------------------+                                          |   
              | |     (3)                         |                                          |   
              | +-REC-----------------------------+                                          |   
              | +-REM-----------------------------+                                          |   
              | '-REN-----------------------------'                                          |   
              +-+-CRE-+-.object_type.location_type.-+-location_name-+------------------------+   
              | +-DEL-+                             '-NONE----------'                        |   
              | +-INQ-+                                                                      |   
              | '-UPD-'                                                                      |   
              +-+-APP-+-.migration_scheme.approval_profile.approver_role---------------------+   
              | '-DIS-'                                                                      |   
              +-+-REA-+-.migration_scheme----------------------------------------------------+   
              | +-UNR-+                                                                      |   
              | +-MIG-+                                                                      |   
              | +-BAC-+                                                                      |   
              | +-INS-+                                                                      |   
              | '-NEW-'                                                                      |   
              +-IMP.target_CICS_configuration------------------------------------------------+   
              '-DEP.-+-COLLECT.CCONFIG.CICS_configuration-+----------------------------------'   
                     '-REPORT.NONE.NONE-------------------'                                      

Notes:
  1. In security keys, the KEYASSOCIATION object type is abbreviated to KEYASSOC.
  2. For the Copy command, location_type and location_name refer to the target location (where the object is being copied to).
  3. For the Recover command, location_type is CCONFIG and location_name is the name of the CICS configuration where the change occurred (stored in the BAImage journal record).

For descriptions of the fields in this key, see API parameters.

To limit the security key length, API command names are abbreviated to three letters:

ADD
Add
ALT
Alter
APP
Approve
BAC
Backout
CPY
Copy
CRE
Create
DEL
Delete
DEP
Deploy
DIO
Discard (an ad hoc selection of resource definitions)
DIS
Disapprove
IMP
Import
INO
Install (an ad hoc selection of resource definitions)
Start of change INQ End of change
Start of change Inquire End of change
INS
Install (the resource definitions in a change package)
LIS
List
MIG
Migrate
NEO
Newcopy (an ad hoc selection of resource definitions)
NEW
Newcopy (the resource definitions in a change package)
REA
Ready
REC
Recover
Start of change REM End of change
Start of change Remove End of change
REN
Rename
UNR
Unready
UPD
Update

The server calls the external security manager (such as RACF®) to check whether this key matches a general resource profile for which the user has READ access authority. If it does, the server performs the command.

Start of change As a starting point, consider temporarily defining a general resource profile such as this: End of change

Start of change
CCVAPI.**
End of change

Start of change (where CCVAPI is the prefix that you have chosen for the security keys) End of change

Start of change with a universal access authority (UACC) of READ. This enables you to activate security checking in CICS Configuration Manager and then continue to work as before, while you define more specific general resource profiles. End of change

Start of change For examples of general resource profiles, and the JCL to define those profiles in a RACF environment, see member CCVXSAF2 of the sample library SCCVSAMP. End of change

Restricting access to the ISPF dialog:

To start the CICS Configuration Manager ISPF dialog, users must be able to perform a List command for the SvrInfo repository object; for details, see SvrInfo (server information). You can use this requirement to restrict access to the ISPF dialog.


Information Information

Feedback


Timestamp icon Last updated: Friday, 7 February 2014


http://pic.dhe.ibm.com/infocenter/cicsts/v5r1/topic///ccv-security-key-api.htm