Use the Security Discovery editor to analyze and manage security
definitions exported from your external security manager (ESM), optionally with usage data.
A breakdown of the editor is as follows:Figure 1. Breakdown of Security
Discovery editor
1 is the editor toolbar, which provides
operations against the loaded security definitions, for example: analyzing the definitions, loading
a security discovery data (SDD) file, filtering on the resource types to show, expanding or
collapsing member lists or roles, creating a role or member list.
2 is a summary of the shown security definitions.
3 is the security definitions table, which is the main area where you work with your security
definitions.
4 is the application filter section where you can define an application by identifying the
transactions and resources that are associated with the application.
To reverse one or more of your changes before you save them, click
Edit > Undo, or press Ctrl+Z
(Cmd+Z on macOS). You can adjust the maximum steps that can be reversed in the
Preferences window of CICS Explorer®. From the panel, select
Explorer > Security Discovery
Editor to find settings for this editor.
You can also amend the maximum length of the member list name. This value can be set within the
range 1-246 and has a default value of 8. Before changing, check what the maximum member list name
length is set to for RACF as set by the ICHERCDE macro. For more information on ICHERCDE, see ICHERCDE macro.
Figure 2. Security Discovery editor settings in
Preferences window
To save your changes, click
File > Save, or press the
shortcut keys Ctrl+S (cmd+S on macOS). The security definitions are saved into a
.sdm binary file, which you can import later to continue with your
analysis.
To export your security definitions for review, use the process to Export ESM data.
Editor toolbar
Mainly you can conduct the following operations against the loaded security definitions:
Analyze ()
You can create roles by analyzing user access to transactions based on similarity or exact
match.
For resources, only the best fit analysis is applicable, which creates roles for resource
access based on existing roles created from the transaction analysis.
Filter resources
You can filter the resources to be shown in the security definitions table. You need to analyze
transactions first, and then other resources, one resource type at one time.
Expand or collapse roles () or member lists ()
In the security definitions table, the row headers show roles and the users within. The column
headers show member lists and the resources within. You can collapse or expand the roles or member
lists for better viewing experience.
Load SDD file ()
You can load an SDD file into the grouped security definitions to refine them based on
usage.
Create new roles () or member lists ()
If needed, you can create roles or member lists to adjust the proposed grouping.
Security definitions table
This table shows the loaded security definitions, including the SDD if any. The security
definitions are based on the security metadata generated from your ESM.
In this table, the row headers show roles (user groups) containing users. The column headers show
member lists containing resources.
Uppercase letters in the cells indicate access, for example, R indicates READ permission is
defined in the security definitions. Lowercase letters indicate actual usage. For example, the r
symbol indicates that a READ access request was performed at least once while SDD was being captured
in the running CICS region.
Additional permissions that are proposed by the Analyze function are
marked by a plus (+) suffix in the cell, for example R+.
By default, when you hover over a cell within the table, a tooltip shows its basic information.
You can toggle it off in the Preferences window of CICS Explorer. From the panel, select
Explorer > Security Discovery
Editor to find settings for this editor.
You can use shortcut keys to navigate and work with security definitions in the table. See Shortcut keys.
If you have multiple applications in a set of CICS regions, you might want to define applications
based on their associated transactions and then resources. This allows you to analyze and manage
security definitions application by application, making the process manageable.
In the Application filter pane, you can define an application filter
to limit the application transactions to origin transactions and other transactions that were
initiated (directly or indirectly) by the origins, and to limit the resources to those used by any
of those transactions. For an example, see Defining applications to segment work in CICS documentation.
Export ESM data
Select Export > Export Security
Discovery. This opens the export dialog, which once all options are
selected, saves the security definitions into a security metadata file (.esm).
The file can be reviewed in a text editor or a code editor that supports YAML for syntax
highlighting.
In the initial export dialog shown in Figure 3, you have the following options:
The Filename offers you a Browse to determine
where and with what name you exported file is saved.
The Resource types checklist filters your processed definitions to a
selected subset.
The Filter strategy that you select determines the next screen and the
subsequent filters you can apply to your SDD. If no application filters exist, the option is
deselected.
Select the member lists you require for export, which automatically selects the related
roles.Figure 4. Security discovery filter by member
list
Filter by roles
Select the roles you require for export, which automatically selects the related member
lists.Figure 5. Security discovery filter by role
Filter using an existing application filter
Select one of the previously defined Application filter items to use for
the export.Figure 6. Security
discovery application filter selection
Export summary screen
Once you have processed your selected filter, a summary of the items selected for export is
displayed as shown in Figure 7.
You can choose to Include unresolved users and ungrouped
resources if you need to include that data. This does not apply if you use an
application filter.
To complete the export, select Finish to export
your selected data.Figure 7. Security discovery data export
summary