Security Discovery editor
Use the Security Discovery editor to analyze and manage security definitions exported from your external security manager (ESM), optionally with usage data.
You use the Security Discovery editor along with other security discovery support provided by CICS, as part of the security discovery process. For examples of analyzing security definitions using this editor, see Analyzing security definitions using security discovery in CICS documentation.
The Security Discovery editor comes with the The CICS Security Discovery perspective.
- 1 is the editor toolbar, which provides operations against the loaded security definitions, for example: analyzing the definitions, loading a security discovery data (SDD) file, filtering on the resource types to show, expanding or collapsing member lists or roles, creating a role or member list.
- 2 is a summary of the shown security definitions.
- 3 is the security definitions table, which is the main area where you work with your security definitions.
- 4 is the application filter section, where you can define an application by identifying the transactions and resources associated with the application.
To reverse one or more of your changes before you save them, click Preferences window of CICS Explorer®. From the panel, select to find settings for this editor.
, or press Ctrl+Z (Cmd+Z on macOS). You can adjust the maximum steps that can be reversed in the
To save your changes, click .sdm binary file, which you can import later to continue with your analysis.
, or press the shortcut keys Ctrl+S (cmd+S on macOS). The security definitions are saved into aTo export your security definitions for review. Click .esm), which can be reviewed in a text editor or a code editor that supports YAML for syntax highlighting.
. This saves the security definitions into a security metadata file (Editor toolbar
- Analyze (
)
- You can create roles by analyzing user access to transactions based on similarity or exact
match.
For resources, only the best fit analysis is applicable, which creates roles for resource access based on existing roles created from the transaction analysis.
- Filter resources
- You can filter the resources to be shown in the security definitions table. You need to analyze transactions first, and then other resources, one resource type at one time.
- Expand or collapse roles (
) or member lists (
)
- In the security definitions table, the row headers show roles and the users within. The column headers show member lists and the resources within. You can collapse or expand the roles or member lists for better viewing experience.
- Load SDD file (
)
- You can load an SDD file into the grouped security definitions to refine them based on usage.
- Create new roles (
) or member lists (
)
- If needed, you can create roles or member lists to adjust the proposed grouping.
Security definitions table
This table shows the loaded security definitions, including the SDD if any. The security definitions are based on the security metadata generated from your ESM.
In this table, the row headers show roles (user groups) containing users. The column headers show member lists containing resources.
Uppercase letters in the cells indicate access, for example, R indicates READ access defined in the security definitions. Lowercase letters indicate actual usage. For example, the r symbol indicates that a READ access request was performed at least once while SDD was being captured in the running CICS region.
Additional permissions that are proposed by the Analyze function are marked by a plus (+) suffix in the cell, for example R+.
By default, when you hover over a cell within the table, a tooltip shows its basic information. You can toggle it off in the Preferences window of CICS Explorer. From the panel, select to find settings for this editor.
You can use shortcut keys to navigate and work with security definitions in the table. See Shortcut keys.
For more information about security metadata and how to interpret the data in this table, see What is security metadata in CICS documentation.
Application filter
If you have multiple applications in a set of CICS regions, you need to define applications based on their associated transactions and then resources. This allows you to analyze and manage security definitions application by application, making the process manageable.
In the Application filter
pane, you can define an application filter
to limit the application transactions to origin transactions and other transactions that were
initiated (directly or indirectly) by the origins, and to limit the resources to those used by any
of those transactions. For an example, see Defining applications to segment work in CICS documentation.