CICS resources and commands used by the CICS Configuration Manager server

The CICS® Configuration Manager server uses the CICS resources and CICS commands described below. If your site uses system authorization facility (SAF) classes to protect access to CICS resources or CICS commands, then you need to modify your external security manager (ESM) definitions to grant the required level of access to the appropriate user IDs:

CICS-supplied transactions CWBA and CWXN
The appropriate user ID (as described above) must have the authority to invoke CWBA. The CICS region user ID of the region that is running the CICS Configuration Manager server must have the authority to invoke CWXN.
Statically defined resources
The group CCV210, in the CSD file for the CICS region running the CICS Configuration Manager server, contains resource definitions required by the CICS Configuration Manager server. These include (but are not restricted to) files, programs, and transactions. For a comprehensive list, either view the resource definitions in the group CCV210 (if you already have CICS Configuration Manager installed), or browse the member CCVXCSDD of the sample library SCCVSAMP.

These are the security rules for CCVx transactions:

CCVA, CCVC, CCVR, CCVT
CICS Configuration Manager "user" transactions. The CICS Configuration Manager server invokes these transactions under the authority of the client user that sent the request:
  • For clients that connect to the server via an unauthenticated port, the CICS default user ID of the CICS region must have the authority to invoke these transactions.
  • For clients that connect to the server via an authenticated port, all users of the CICS Configuration Manager client must have the authority to invoke these transactions.
CCVI
CICS Configuration Manager server initialization transaction. The user, or users, that require the authority to invoke this transaction depends on how you choose to start the CICS Configuration Manager server:
  • If you have added the server initialization program CCVIINIT to the PLTPI, then the user ID that runs PLTPI programs must have the authority to invoke the transaction CCVI. This user ID is either the user ID specified by the PLTPIUSR system initialization parameter or, if you do not specify PLTPIUSR, the CICS region user ID. This user ID needs the authority to invoke transaction CCVI because, although CICS runs all PLTPI programs under the CICS internal transaction CPLT, the program CCVIINIT invokes transaction CCVI to complete potentially long-running tasks after the CICS region has started. For more information on starting the CICS Configuration Manager server via the PLTPI, see Optional: Update the PLTPI.
  • If you have chosen not to start the CICS Configuration Manager server via the PLTPI, then the user ID that starts the CICS Configuration Manager server, either by running the program CCVIINIT or invoking the transaction CCVI, must have the authority to invoke the transaction CCVI.

You can also invoke transaction CCVI from a CICS terminal to re-initialize the CICS Configuration Manager server while the server CICS region is active: for example, to change which ports the server listens to for clients, without restarting the server CICS region. In this case, the user of the CICS terminal (for example, the CICS Configuration Manager administrator) must have the authority to invoke CCVI. For details, see Define CICS Configuration Manager system options.

CCVW
CICS Configuration Manager server background clean-up process. This has the same security requirements as CCVI, except that there is no requirement for CICS Configuration Manager administrators to be able to invoke this transaction.
CCVS
CICS Configuration Manager server trace facility. Required only by administrators, if requested by IBM® to capture a CICS Configuration Manager trace for problem determination.
CCVB
Currently unused.

The supplied group CCV210 includes replacements for the CICS-supplied transactions CEDA, CEDB, and CEDC that call DFHEDAP. The replacement versions allow you to use these transactions without conflicting with the CICS Configuration Manager server for access to the server region's CSD file. However, it is recommended that you no longer use CEDA, CEDB, and CEDC at all; neither the CICS-supplied originals nor these replacements. Instead, use CICS Configuration Manager to maintain your resource definitions.

For details on the level of access required for file resources, see the values of the associated attributes (such as Add, Browse, Delete, Read, and Update) in the file resource definitions.

Dynamically defined resources
The CICS Configuration Manager server dynamically defines the following resource definitions as required:
CCVRnnnn files
For each CSD-based CICS configuration defined in the CICS Configuration Manager repository, the CICS Configuration Manager server dynamically defines a file resource that refers to the appropriate CSD file. The CICS Configuration Manager server uses these file resources only to read CSD files. To update CSD files, the CICS Configuration Manager server uses Start of changeeither the CICS-supplied DFHEDAP program or CICS system programming interface (SPI) commands.End of change
EXnn and IMnn transient data queues
To write to an export file, the CICS Configuration Manager server dynamically defines a TDQueue named EXnn (nn: 0099). To read from an export file, it dynamically defines a TDQueue named IMnn. EX indicates "export" (write), IM indicates "import" (read).
CCV* temporary storage queues
The CICS Configuration Manager server dynamically defines TSQueues for various processing tasks.
TCP/IP services
During initialization, the CICS Configuration Manager server dynamically defines a TCPIPService for each of the IP ports that you have specified you want the server to listen to. For details, see Define CICS Configuration Manager system options.
Application and system programming commands
The CICS Configuration Manager server uses various CICS application and system programming commands.

The CICS Configuration Manager server does not define resource definitions for user exit programs. You must define these resources yourself, or have CICS autoinstall them for you.

Start of change

Data set security

The CICS Configuration Manager server region user ID must have update access to the data sets named by the following CICS file resources:

Also, if you use CICS file resource security checking (CICS system initialization parameter XFCT=YES or name, rather than XFCT=NO), then each user of a CICS Configuration Manager client must have update access to these data sets.

End of change