Defining CICS BAC FACILITY class profiles

You use the RACF RDEFINE command to define FACILITY general resource class profiles, and the PERMIT command to grant and restrict access to resources based on a user ID or RACF group. If you do not have access to the RACF security database to create the required profiles yourself, ask your security administrator to create them for you using the information you provide, based on the information in this chapter. For more information about RACF security, see the z/OS Security Server RACF Security Administrator's Guide, SA22-7683, and the z/OS Security Server RACF Command Language Reference, SA22-7687.

Using the information about the structure of CICS BAC resource names explained in the previous topic, you can define the required FACILITY class resource profiles for all your CICS BAC resources using the RACF RDEFINE command as follows:

RDEFINE FACILITY $CBK.applid.accessType.objectType.objectName UACC(NONE)

where applid, accessType, objectType, andobjectName are as defined in CICS BAC resource names.

When you have defined in this way all the CICS BAC resources to which you need to control access, the next step is to give specific user IDs or group IDs permission to access these resources. Typically, these will be the user IDs that are specified on a batch request utility job, a file maintenance utility job, the user IDs of users of the workstation administration client, or the TSO user of the ISPF administration interface. The UACC of NONE ensures that only the users specifically authorized are able to access your CICS BAC resources.

Examples of FACILITY class definitions

This section provides some illustrations of FACILITY class definitions, with two examples of different access levels for two different groups. The examples are based on a CICS region with applid CICSPROD, and you need to permit two groups of user different levels of access to objects in the CICS region control file.

The first step, for both examples, is to disallow all accesses within CICSPROD as a default by issuing the following RACF RDEFINE command:

RDEFINE FACILITY $CBK.CICSPROD.** UACC(NONE)
Example 1

With all access to CICSPROD resources denied by default, you can enable the APPLDEV group requirements.

RDEFINE FACILITY $CBK.CICSPROD.ADMIN.** UACC(NONE)

This profile is specific to the ADMIN object type and takes precedence over the generic CICSPROD profile defined above. Using this profile you can grant the access required by the APPLDEV group using the following command.

PERMIT $CBK.CICSPROD.ADMIN.** CLASS(FACILITY) ID(APPLDEV) UACC(UPDATE)
Example 2

To enable the PRODOPS group to execute commands, define the profile that is specific to the EXECUTE object type, which takes precedence over the generic CICSPROD profile defined earlier.

RDEFINE FACILITY $CBK.CICSPROD.EXECUTE.** UACC(NONE)

Using both this profile and the one defined in Example 1, you can now grant the PRODOPS group update access to the EXECUTE profile and read only access to the ADMIN profile:

PERMIT $CBK.CICSPROD.EXECUTE.** CLASS(FACILITY) ID(PRODOPS) UACC(UPDATE)
PERMIT $CBK.CICSPROD.ADMIN.** CLASS(FACILITY) ID(PRODOPS) UACC(READ)