Working with CICS security

CICS Explorer® provides various functions to support troubleshooting and managing CICS security.

Security request recording (SRR)

Use SRR to diagnose CICS® security issues. SRR extends the assistance that some messages provide by recording security data so that you can better understand security issues that you might encounter in CICS.

Security issues can include various aspects:
  • Problems might extend across one or more regions, one or more LPARS, or even multiple sysplexes.
  • There might not be any messages that are associated with the reason that causes a security failure.
  • An application might grant access to something that it mustn’t.

SRR is designed to help you solve these complex security problems. For example, a support person would add a security request recording and ask the system programmer to review the results to determine whether any security configuration needs adjusting.

For a use case of SRR, see Diagnosing access issues with security request recording (SRR).

Support for CICS security discovery

To migrate to a zero trust strategy, consider using CICS security discovery to identify security definitions that are required for resource security. It does this by analyzing your existing external security manager (ESM) definitions and the usage pattern of resources in your production regions. You can then manage and refine your security definitions based on its recommendations. For more information about security discovery, see How it works: CICS security discovery in CICS documentation.

CICS Explorer provides the following capabilities to support CICS security discovery:
CICS Security Discovery perspective
Contains the Security Discovery editor and the Security Discovery Details view for the analysis of security definitions.
Security Discovery editor
Analyzes and groups security definitions exported from your ESM based on its similarity pattern, optionally with usage data (security discovery data).
Before using this editor, you must increase the Java heap size for the Security Discovery editor.
Security Discovery Details view
Shows details about the element that is being selected in the Security Discovery editor, as well as their relationships with other definitions. For example, if you select a user who is in a role, the Security Discovery Details view shows other roles that the user also belongs to.
Security Discovery Records view
This is an SM Operations view. In the Security Discovery Records (SECDISC) view, you can view the status of security discovery, configure the behavior of security discovery, and write out security discovery data (SDD) immediately. It equates to the set of SECDISCOVERY commands in CICS.

For examples of using these functions in CICS Explorer, see Analyzing security definitions using security discovery in CICS documentation.