Granting access to the plans and tables

The CICS® system programmer and the DB2® administrator must decide how to control access to the CICS IA plan and the CIU tables.

About this task

CICS IA uses both static and dynamic SQL, you need more than just a GRANT EXECUTE ON PLAN CICSIA TO PUBLIC command. You must also allow dynamic SQL requests to access the tables. You have two options:
Option 1
Specify the DYNAMICRULES(BIND) option on the BIND PLAN command in CIUDBNB and CIUDBNT. This option is recommended for these reasons:
  • The way in which security works is the same for both dynamic and static SQL.
  • If you grant permissions by issuing one or more GRANT EXECUTE ON PLAN CICSIA TO _xxxx_ commands, all security checks are done at the plan level; this option is simple to administer and offers good performance.
  • If, as is typically the case, the _xxxx_ in the GRANT EXECUTE command specifies a RACF group rather than a single RACF user ID, to add new users you just connect the users to the RACF group.

The sample installation jobs CIUDBNB and CIUDBNT use the DYNAMICRULES(BIND) option and then issue GRANT EXECUTE commands for the appropriate plans. These commands are issued against a RACF group.

To use this option:
  1. Select your RACF group.
  2. Change _racfgrp_ to your chosen RACF group.
  3. Ensure that all CIU users are connected to your chosen RACF group, with RACF “list of groups” active in the system.
  4. Enable secondary authorization in DB2. See the DB2 install job DSNTIJEX.
Note:
  1. Review DSNTIJEX job with your DB2 administrator.
  2. For a full understanding of the implications of DYNAMICRULES(BIND), see the description of the BIND COMMAND in the DB2 Commands manual.
  3. See also the section on DB2 security in the CICS RACF Security Guide.
  4. Review this job with your DB2 administrator.
Option 2
Grant all CIU users access to the tables explicitly. This option is not recommended because you have to do this every time you give access to a new user.
To use this option:
  1. In the sample jobs CIUDBNB and CIUDBNT, on the BIND PLAN command change the DYNAMICRULES option from DYNAMICRULES(BIND) to DYNAMICRULES(RUN).
  2. In Start of changehlq.SCIUSQL.OUT(CIUGRNTC)End of change, change the sample GRANT commands to GRANT EXECUTE on the CICSIA plan and GRANT SELECT, GRANT UPDATE, GRANT INSERT, GRANT DELETE, and any other GRANT commands, on the CIU tables.
  3. If the GRANT permissions are made to a RACF group, note these requirements:
    1. Ensure that all CIU users are connected to that RACF group.
    2. Enable secondary authorization in DB2. See the DB2 install job DSNTIJEX for more information if required.
The Query interface uses dynamic SQL to access the CIU_CICS_DATA, CIU_DB2_DATA, CIU_MQ_DATA, and CIU_IMS_DATA tables. For guidance on using dynamic SQL with CICS, refer to the CICS DB2 Guide for your CICS release.

The delivered SQL is constructed and sized for a default application. You must tailor the sizings for PRIQTY and SECQTY in the index creation batch job to suit your requirements. If you create a new query you must carry out an evaluation to ensure that the existing indexing supports the query. If the existing indexing does not support the query, you must construct additional indexes. Contact your Database administrator if you require assistance.