Security keys for API commands

Here is the format of the security key that the CICS® Configuration Manager server creates to check a user's authority to perform an API command:

Figure 1. Security key that CICS Configuration Manager creates to check whether a user is authorized to perform an API command
Read syntax diagramSkip visual syntax diagram
                                   (1)                                         
>>-prefix--.--+-LIS.-+-object_type-----+-.location_type.-+-location_name-+-+-><
              |      '-ALL-------------'                 +-ALL-----------+ |   
              |                                          '-NONE----------' |   
              +-+-ADD-----+-.object_type.location_type.location_name-------+   
              | |     (2) |                                                |   
              | +-CPY-----+                                                |   
              | +-DIO-----+                                                |   
              | +-INO-----+                                                |   
              | +-NEO-----+                                                |   
              | |     (3) |                                                |   
              | +-REC-----+                                                |   
              | +-REM-----+                                                |   
              | '-REN-----'                                                |   
              +-+-CRE-+-.object_type.location_type.-+-location_name-+------+   
              | +-DEL-+                             '-NONE----------'      |   
              | +-INQ-+                                                    |   
              | '-UPD-'                                                    |   
              +-+-APP-+-.migration_scheme.approval_profile.approver_role---+   
              | '-DIS-'                                                    |   
              +-+-REA-+-.migration_scheme----------------------------------+   
              | +-UNR-+                                                    |   
              | +-MIG-+                                                    |   
              | +-BAC-+                                                    |   
              | +-INS-+                                                    |   
              | +-DSS-+                                                    |   
              | '-NEW-'                                                    |   
              +-IMP.target_CICS_configuration------------------------------+   
              '-DEP.-+-COLLECT.CCONFIG.CICS_configuration-+----------------'   
                     '-REPORT.NONE.NONE-------------------'                    

Notes:
  1. In security keys, the KEYASSOCIATION object type is abbreviated to KEYASSOC.
  2. For the Copy command, location_type and location_name refer to the target location (where the object is being copied to).
  3. For the Recover command, location_type is CCONFIG and location_name is the name of the CICS configuration where the change occurred (stored in the BAImage journal record).

For descriptions of the fields in this key, see API parameters.

To limit the security key length, API command names are abbreviated to three letters:

ADD
Add
ALT
Alter
APP
Approve
BAC
Backout
CPY
Copy
CRE
Create
DEL
Delete
DEP
Deploy
DIO
Discard (an ad hoc selection of resource definitions)
DIS
Disapprove
IMP
Import
INO
Install (an ad hoc selection of resource definitions)
INS
Install (the resource definitions in a change package)
LIS
List
MIG
Migrate
NEO
Newcopy (an ad hoc selection of resource definitions)
NEW
Newcopy (the resource definitions in a change package)
REA
Ready
REC
Recover
REN
Rename
UNR
Unready
UPD
Update

The server calls the external security manager (such as RACF®) to check whether this key matches a general resource profile for which the user has READ access authority. If it does, the server performs the command.

Restricting access to the ISPF dialog:

To start the CICS Configuration Manager ISPF dialog, users must be able to perform a List command for the SvrInfo repository object; for details, see SvrInfo (server information). You can use this requirement to restrict access to the ISPF dialog.