Security Discovery editor

Use the Security Discovery editor to analyze and manage security definitions exported from your external security manager (ESM), optionally with usage data.

You use the Security Discovery editor along with other security discovery support that is provided by CICS, as part of the security discovery process. For examples of analyzing security definitions by using this editor, see Analyzing security definitions using security discovery in CICS documentation.

The Security Discovery editor comes with the The CICS Security Discovery perspective.

A breakdown of the editor is as follows:
Figure 1. Breakdown of Security Discovery editor
A screen capture of the Security Discovery editor
  •  1  is the editor toolbar, which provides operations against the loaded security definitions, for example: analyzing the definitions, loading a security discovery data (SDD) file, filtering on the resource types to show, expanding or collapsing member lists or roles, creating a role or member list.
  •  2  is a summary of the shown security definitions.
  •  3  is the security definitions table, which is the main area where you work with your security definitions.
  •  4  is the application filter section where you can define an application by identifying the transactions and resources that are associated with the application.

To reverse one or more of your changes before you save them, click Edit > Undo, or press Ctrl+Z (Cmd+Z on macOS). You can adjust the maximum steps that can be reversed in the Preferences window of CICS Explorer®. From the panel, select Explorer > Security Discovery Editor to find settings for this editor.

You can also amend the maximum length of the member list name. This value can be set within the range 1-246 and has a default value of 8. Before changing, check what the maximum member list name length is set to for RACF as set by the ICHERCDE macro. For more information on ICHERCDE, see ICHERCDE macro.

Figure 2. Security Discovery editor settings in Preferences window
Preferences window of CICS Explorer

To save your changes, click File > Save, or press the shortcut keys Ctrl+S (cmd+S on macOS). The security definitions are saved into a .sdm binary file, which you can import later to continue with your analysis.

To export your security definitions for review, use the process to Export ESM data.

Editor toolbar

Mainly you can conduct the following operations against the loaded security definitions:
Analyze (Analyze icon)
You can create roles by analyzing user access to transactions based on similarity or exact match.

For resources, only the best fit analysis is applicable, which creates roles for resource access based on existing roles created from the transaction analysis.

Filter resources Filter resources icon
You can filter the resources to be shown in the security definitions table. You need to analyze transactions first, and then other resources, one resource type at one time.
Expand or collapse roles (Roles icon) or member lists (Member lists icon)
In the security definitions table, the row headers show roles and the users within. The column headers show member lists and the resources within. You can collapse or expand the roles or member lists for better viewing experience.
Load SDD file (Load SDD File icon)
You can load an SDD file into the grouped security definitions to refine them based on usage.
Create new roles (Create role icon) or member lists (Create member list icon)
If needed, you can create roles or member lists to adjust the proposed grouping.

Security definitions table

This table shows the loaded security definitions, including the SDD if any. The security definitions are based on the security metadata generated from your ESM.

In this table, the row headers show roles (user groups) containing users. The column headers show member lists containing resources.

Uppercase letters in the cells indicate access, for example, R indicates READ permission is defined in the security definitions. Lowercase letters indicate actual usage. For example, the r symbol indicates that a READ access request was performed at least once while SDD was being captured in the running CICS region.

Additional permissions that are proposed by the Analyze function are marked by a plus (+) suffix in the cell, for example R+.

By default, when you hover over a cell within the table, a tooltip shows its basic information. You can toggle it off in the Preferences window of CICS Explorer. From the panel, select Explorer > Security Discovery Editor to find settings for this editor.

You can use shortcut keys to navigate and work with security definitions in the table. See Shortcut keys.

For more information about security metadata and how to interpret the data in this table, see What is security metadata in CICS documentation.

Application filter

If you have multiple applications in a set of CICS regions, you might want to define applications based on their associated transactions and then resources. This allows you to analyze and manage security definitions application by application, making the process manageable.

In the Application filter pane, you can define an application filter to limit the application transactions to origin transactions and other transactions that were initiated (directly or indirectly) by the origins, and to limit the resources to those used by any of those transactions. For an example, see Defining applications to segment work in CICS documentation.

Export ESM data

Select Export > Export Security Discovery. This opens the export dialog, which once all options are selected, saves the security definitions into a security metadata file (.esm). The file can be reviewed in a text editor or a code editor that supports YAML for syntax highlighting.

In the initial export dialog shown in Figure 3, you have the following options:
  • The Filename offers you a Browse to determine where and with what name you exported file is saved.
  • The Resource types checklist filters your processed definitions to a selected subset.
  • The Filter strategy that you select determines the next screen and the subsequent filters you can apply to your SDD. If no application filters exist, the option is deselected.
Figure 3. Initial security discovery export screenInitial security discovery export screen

Once all items are complete, you click Next to proceed to one of the following screens:

Export all resolved member lists and roles
If you selected this option, you are taken to the Export summary screen.
Filter by member lists
Select the member lists you require for export, which automatically selects the related roles.
Figure 4. Security discovery filter by member listSecurity discovery filter by member list
Filter by roles
Select the roles you require for export, which automatically selects the related member lists.
Figure 5. Security discovery filter by roleSecurity discovery filter by role
Filter using an existing application filter
Select one of the previously defined Application filter items to use for the export.
Figure 6. Security discovery application filter selectionSecurity discovery application filter selection
Export summary screen
Once you have processed your selected filter, a summary of the items selected for export is displayed as shown in Figure 7.

You can choose to Include unresolved users and ungrouped resources if you need to include that data. This does not apply if you use an application filter.

To complete the export, select Finish to export your selected data.
Figure 7. Security discovery data export summarySecurity discovery data export summary