The CICS® Configuration Manager server
uses the CICS resources and CICS commands described below.
If your site uses system authorization facility (SAF) classes to protect
access to CICS resources or CICS commands, then you need to
modify your external security manager (ESM) definitions to grant the
required level of access to the appropriate user IDs:
- For clients that connect to the server via an unauthenticated
port, you need to grant access to the CICS default
user ID of the CICS region
that is running the server.
- For clients that connect to the server via an authenticated port,
you need to grant access to the client user ID. For the CICS Configuration Manager ISPF client, this
is the TSO user ID.
- CICS-supplied transactions CWBA and CWXN
- The appropriate user ID (as described above) must
have the authority to invoke CWBA. The CICS region user
ID of the region that is running the CICS Configuration Manager server must have
the authority to invoke CWXN.
- Statically defined resources
- The group CCV210,
in the CSD file for the CICS region
running the CICS Configuration Manager server,
contains resource definitions required by the CICS Configuration Manager server. These include
(but are not restricted to) files, programs, and transactions. For
a comprehensive list, either view the resource definitions in the
group CCV210 (if
you already have CICS Configuration Manager installed),
or browse the member CCVXCSDD of the sample library SCCVSAMP.
These are the security rules for CCVx transactions:
- CCVA, CCVC, CCVR, CCVT
- CICS Configuration Manager "user" transactions.
The CICS Configuration Manager server
invokes these transactions under the authority of the client user
that sent the request:
- For clients that connect to the server via an unauthenticated
port, the CICS default user
ID of the CICS region must
have the authority to invoke these transactions.
- For clients that connect to the server via an authenticated port,
all users of the CICS Configuration Manager client
must have the authority to invoke these transactions.
- CCVI
- CICS Configuration Manager server
initialization transaction. The user, or users, that require the authority
to invoke this transaction depends on how you choose to start the CICS Configuration Manager server:
- If you have added the server initialization program CCVIINIT to
the PLTPI, then the user ID that runs PLTPI programs must have the
authority to invoke the transaction CCVI. This user ID is either the
user ID specified by the PLTPIUSR system initialization parameter
or, if you do not specify PLTPIUSR, the CICS region
user ID. This user ID needs the authority to invoke transaction CCVI
because, although CICS runs
all PLTPI programs under the CICS internal
transaction CPLT, the program CCVIINIT invokes transaction CCVI to
complete potentially long-running tasks after the CICS region has started. For more information
on starting the CICS Configuration Manager server
via the PLTPI, see Optional: Update the PLTPI.
- If you have chosen not to start the CICS Configuration Manager server via the
PLTPI, then the user ID that starts the CICS Configuration Manager server, either
by running the program CCVIINIT or invoking the transaction CCVI,
must have the authority to invoke the transaction CCVI.
You can also invoke transaction CCVI from a CICS terminal to re-initialize the CICS Configuration Manager server while the
server CICS region is active:
for example, to change which ports the server listens to for clients,
without restarting the server CICS region.
In this case, the user of the CICS terminal
(for example, the CICS Configuration Manager administrator)
must have the authority to invoke CCVI. For details, see Define CICS Configuration Manager system options.
- CCVW
- CICS Configuration Manager server
background clean-up process. This has the same security requirements
as CCVI, except that there is no requirement for CICS Configuration Manager administrators
to be able to invoke this transaction.
- CCVS
- CICS Configuration Manager server
trace facility. Required only by administrators, if requested by IBM® to capture a CICS Configuration Manager trace for problem
determination.
- CCVB
- Currently unused.
The supplied group CCV210 includes replacements
for the CICS-supplied transactions CEDA, CEDB, and CEDC that
call DFHEDAP. The replacement versions allow you to use these transactions
without conflicting with the CICS Configuration Manager server for access
to the server region's CSD file. However, it is recommended that you
no longer use CEDA, CEDB, and CEDC at all; neither the CICS-supplied
originals nor these replacements. Instead, use CICS Configuration Manager to maintain your
resource definitions.
For details on the level of access required
for file resources, see the values of the associated attributes (such
as Add, Browse, Delete, Read, and Update) in the file resource definitions.
- Dynamically defined resources
- The CICS Configuration Manager server
dynamically defines the following resource definitions as required:
- CCVRnnnn files
- For each CSD-based CICS configuration
defined in the CICS Configuration Manager repository,
the CICS Configuration Manager server
dynamically defines a file resource that refers to the appropriate
CSD file. The CICS Configuration Manager server
uses these file resources only to read CSD files. To update CSD files,
the CICS Configuration Manager server
uses
either the CICS-supplied
DFHEDAP program or CICS system
programming interface (SPI) commands.
- EXnn and IMnn transient
data queues
- To write to an export file, the CICS Configuration Manager server dynamically
defines a TDQueue named EXnn (nn:
00–99).
To read from an export file, it dynamically defines a TDQueue named
IMnn. EX indicates "export" (write), IM indicates "import" (read).
- CCV* temporary storage queues
- The CICS Configuration Manager server
dynamically defines TSQueues for various processing tasks.
- TCP/IP services
- During initialization, the CICS Configuration Manager server dynamically
defines a TCPIPService for each of the IP ports that you have specified
you want the server to listen to. For details, see Define CICS Configuration Manager system options.
- Application and system programming commands
- The CICS Configuration Manager server
uses various CICS application
and system programming commands.
The CICS Configuration Manager server does not
define resource definitions for user exit programs. You must define
these resources yourself, or have CICS autoinstall them for you.

Data set security
The CICS Configuration Manager server region user
ID must have update access to the data sets named by the following CICS file resources:
- Statically defined file resources (in the supplied group CCV210):
- CCVDDD
- CICS Configuration Manager repository.
- CCVJNL, CCVPT1, CCVPT2
- CICS Configuration Manager journal
and indexes.
- Dynamically defined file resources:
- CCVRnnnn
- For each CSD file that you want to use with CICS Configuration Manager.
Also, if you use CICS file
resource security checking (CICS system
initialization parameter XFCT=YES or name, rather
than XFCT=NO), then each user of a CICS Configuration Manager client must have
update access to these data sets.
