Start of change

Requirements for a resource class for security checking

You can use different resource classes for the two types of CICS® Configuration Manager security check (API commands and resource definitions), or use the same class for both. XFACILIT is a commonly used IBM-supplied resource class that is suitable for both types of security check.

If you decide to use a resource class other than XFACILIT, you need to consider the following requirements:

Security key length
The maximum security key length required by the supplied CICS Configuration Manager ISPF dialog and batch client interfaces depends on the length of the security key prefix that you specify. If you limit the security key prefix to 3 characters, then these interfaces require a maximum security key length of 39 characters, allowing you to use the IBM-supplied class FACILITY for CICS Configuration Manager security checking. The FACILITY class is similar to XFACILIT, but only supports resource names up to 39 characters, while XFACILIT supports up to 246 characters. For this reason, XFACILIT is preferable to FACILITY.

If you specify the FACILITY class for CICS Configuration Manager security checking for resource definition keys, the security key prefix must not exceed 3 characters.

If an API command refers to resource definitions, the security key for the API command includes the location of the resource definitions as specified by the API command. API command requests from the supplied CICS Configuration Manager ISPF dialog and batch client interfaces exclusively use CICS configuration names, never CSD file names, to specify the location of resource definitions.

If you develop a custom client interface, you can create API command requests that specify a CSD file name as the location of resource definitions. Security keys that include a CSD file name (up to 44 characters) can be longer than security keys that include a CICS configuration name (up to 8 characters). In this case, you need to choose or create a resource class that supports longer keys: up to 75 characters, if you limit the security prefix to 3 characters. You can also configure an optional security exit that is invoked before and after each SAF call. See the skeleton exit supplied in the CCVX0001 member of the sample library SCCVSAMP.

Special characters
The resource class that you use for resource definition key security checks must allow special characters. The security key that the CICS Configuration Manager server creates for these security checks includes the resource definition name; for some resources, such as transactions, the name can include special characters. For example, if you define a new resource class using the RACF command RDEFINE, then specify the following parameter:
CDTINFO(FIRST(ALPHA,NATIONAL,NUMERIC,SPECIAL),
        OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL)
        …)

The IBM-supplied resource classes XFACILIT and FACILITY allow special characters.

Instead of using XFACILIT or FACILITY, both of which might be used by other products, you might choose to define a resource class specifically for CICS Configuration Manager. For details, see the members named CCVXSAFx in the sample library SCCVSAMP. For example, to define a suitable resource class in a RACF® environment, see sample member CCVXSAF1.


Information Information

Feedback


Timestamp icon Last updated: Friday, 7 February 2014


http://pic.dhe.ibm.com/infocenter/cicsts/v5r1/topic///ccv-security-resource-class.htm
End of change