Security Discovery editor

Use the Security Discovery editor to analyze and manage security definitions exported from your external security manager (ESM), optionally with usage data.

You use the Security Discovery editor along with other security discovery support provided by CICS, as part of the security discovery process. For examples of analyzing security definitions using this editor, see Analyzing security definitions using security discovery in CICS documentation.

The Security Discovery editor comes with the The CICS Security Discovery perspective.

A breakdown of the editor is as follows:
Figure 1. Breakdown of Security Discovery editor
A screen capture of the Security Discovery editor
  •  1  is the editor toolbar, which provides operations against the loaded security definitions, for example: analyzing the definitions, loading a security discovery data (SDD) file, filtering on the resource types to show, expanding or collapsing member lists or roles, creating a role or member list.
  •  2  is a summary of the shown security definitions.
  •  3  is the security definitions table, which is the main area where you work with your security definitions.
  •  4  is the application filter section, where you can define an application by identifying the transactions and resources associated with the application.

To reverse one or more of your changes before you save them, click Edit > Undo, or press Ctrl+Z (Cmd+Z on macOS). You can adjust the maximum steps that can be reversed in the Preferences window of CICS Explorer®. From the panel, select Explorer > Security Discovery Editor to find settings for this editor.

Figure 2. Security Discovery editor settings in Preferences window
Preferences window of CICS Explorer

To save your changes, click File > Save, or press the shortcut keys Ctrl+S (cmd+S on macOS). The security definitions are saved into a .sdm binary file, which you can import later to continue with your analysis.

To export your security definitions for review. Click File > Export ESM file. This saves the security definitions into a security metadata file (.esm), which can be reviewed in a text editor or a code editor that supports YAML for syntax highlighting.

Editor toolbar

Mainly you can conduct the following operations against the loaded security definitions:
Analyze (Analyze icon)
You can create roles by analyzing user access to transactions based on similarity or exact match.

For resources, only the best fit analysis is applicable, which creates roles for resource access based on existing roles created from the transaction analysis.

Filter resources Filter resources icon
You can filter the resources to be shown in the security definitions table. You need to analyze transactions first, and then other resources, one resource type at one time.
Expand or collapse roles (Roles icon) or member lists (Member lists icon)
In the security definitions table, the row headers show roles and the users within. The column headers show member lists and the resources within. You can collapse or expand the roles or member lists for better viewing experience.
Load SDD file (Load SDD File icon)
You can load an SDD file into the grouped security definitions to refine them based on usage.
Create new roles (Create role icon) or member lists (Create member list icon)
If needed, you can create roles or member lists to adjust the proposed grouping.

Security definitions table

This table shows the loaded security definitions, including the SDD if any. The security definitions are based on the security metadata generated from your ESM.

In this table, the row headers show roles (user groups) containing users. The column headers show member lists containing resources.

Uppercase letters in the cells indicate access, for example, R indicates READ access defined in the security definitions. Lowercase letters indicate actual usage. For example, the r symbol indicates that a READ access request was performed at least once while SDD was being captured in the running CICS region.

Additional permissions that are proposed by the Analyze function are marked by a plus (+) suffix in the cell, for example R+.

By default, when you hover over a cell within the table, a tooltip shows its basic information. You can toggle it off in the Preferences window of CICS Explorer. From the panel, select Explorer > Security Discovery Editor to find settings for this editor.

You can use shortcut keys to navigate and work with security definitions in the table. See Shortcut keys.

For more information about security metadata and how to interpret the data in this table, see What is security metadata in CICS documentation.

Application filter

If you have multiple applications in a set of CICS regions, you need to define applications based on their associated transactions and then resources. This allows you to analyze and manage security definitions application by application, making the process manageable.

In the Application filter pane, you can define an application filter to limit the application transactions to origin transactions and other transactions that were initiated (directly or indirectly) by the origins, and to limit the resources to those used by any of those transactions. For an example, see Defining applications to segment work in CICS documentation.