Restricting access to API commands and resource definitions

To restrict what users can do with CICSĀ® Configuration Manager, you can activate either or both of these security checks:

API commands
Is the user authorized to perform this type of CICS Configuration Manager API command?

For example, ISPF dialog option 2 CICS Resources displays a list of CICS configurations. To get this list, the ISPF dialog sends to the CICS Configuration Manager server a List API command, requesting a list of CICS configurations. You can restrict which users can perform this command.

For details on each API command, see Using the SOAP API.

Resource definitions
Is the user authorized to manipulate this resource definition, based on its key values (group, type, and name)?

This security check applies only to the following API commands: Add, Alter, Copy, Create, Delete, Import, Inquire, Remove, Rename, and Update.

Note that this security check does not apply to Migrate (change package migrations). To manage security for change package migrations, you use:

  • API command security checking for the Migrate command (this refers to the name of the migration scheme being used)

    and

  • Optionally, approval profiles

If security checking for API commands is active, then each time the CICS Configuration Manager server receives a request to perform an API command, the server uses the API command name and parameter values to create a system authorization facility (SAF) resource key. We will refer to this as a "security key". The server calls the external security manager (ESM) to determine whether the user has (at least) READ access authority for this security key. If the user does not have this authority, then the CICS Configuration Manager server rejects the API command request.

The CICS Configuration Manager server performs security checking for resource definitions only after the API command request has passed the security check for API commands, or if security checking for API commands is inactive. To perform security checking for resource definitions, the CICS Configuration Manager server creates security keys based on resource definition key values (group, name, and type).

For API commands that act on more than one resource definition, the server performs security checking for each resource definition individually, before acting on that resource definition. Furthermore, for each resource definition, an API command might involve multiple operations, each requiring a security check. For example, for each resource definition, a Copy API command involves two operations, requiring two corresponding security checks:

If the security check fails for a resource definition, then processing continues on to the next resource definition.


Information Information

Feedback


Timestamp icon Last updated: Friday, 7 February 2014


http://pic.dhe.ibm.com/infocenter/cicsts/v5r1/topic///ccv-security-api.htm