Security administrator only

Define security rules in RACF

The following steps assume that you have not yet defined any security rules for CICS® Configuration Manager, and that the CICS Configuration Manager system option for API command security checking is inactive. (Security checking is inactive by default. To check whether it is active or inactive, go to CICS Configuration Manager primary menu option 1.1 System Options.)

If you are already using CICS Configuration Manager with security checking, then ignore any of the steps below that you have already performed.

These steps specify CICS Configuration Manager general resource profiles with a prefix of CCVAPI. Feel free to specify a different prefix.

In RACF®:

  1. Define a general resource profile to allow all users access to all CICS Configuration Manager API commands:
    CCVAPI.**

    Give this profile a universal access authority (UACC) of READ.

    This profile is for temporary use, until you define a more specific set of security rules for restricting access to API commands. For now, this profile allows you to activate security checking in CICS Configuration Manager, and then continue to perform API commands as if security checking were still inactive, except those API commands for which there are more specific profiles. We are about to define some specific profiles for Approve and Disapprove API commands.

  2. Define the following six general resource profiles:
    CCVAPI.APP.TOURDT.PROJMAN
    CCVAPI.DIS.TOURDT.PROJMAN
    
    CCVAPI.APP.TOURDT.QATEAM
    CCVAPI.DIS.TOURDT.QATEAM
    
    CCVAPI.APP.TOURDT.APPDEV
    CCVAPI.DIS.TOURDT.APPDEV

    Give these profiles a UACC of NONE.

  3. Define three group profiles: TOURPJ, TOURQA, and TOURAD.
  4. Add the group profiles to the access lists of the appropriate general resource profiles, as shown in Figure 1.
  5. Add one or more users to each group profile.

    In the steps that follow, you will test these new security rules. There are several ways to do this. To perform the testing yourself, consider temporarily adding your own user ID to each of the three group profiles, so that you can represent all three approver roles without logging on under different user IDs.


Information Information

Feedback


Timestamp icon Last updated: Friday, 7 February 2014


http://pic.dhe.ibm.com/infocenter/cicsts/v5r1/topic///ccv-tutorial-3-010.htm
End of Security administrator only