The following steps assume that you have not yet defined any security
rules for CICS® Configuration
Manager,
and that the CICS Configuration
Manager system
option for API command security checking is inactive. (Security checking
is inactive by default. To check whether it is active or inactive,
go to CICS Configuration
Manager primary
menu option 1.1 System Options.)
If you are already using CICS Configuration
Manager with security checking,
then ignore any of these steps that you have already performed.
These steps specify CICS Configuration
Manager general
resource profiles with a prefix of CCVAPI.
Feel free to specify a different prefix.
In RACF®:
- Define a general resource profile to allow all users access to
all CICS Configuration
Manager API
commands:
CCVAPI.**
Give
this profile a universal access authority (UACC) of READ.
This
profile is for temporary use, until you define a more specific set
of security rules for restricting access to API commands. For now,
this profile allows you to activate security checking in CICS Configuration
Manager, and then continue
to perform API commands as if security checking were still inactive,
except those API commands for which there are more specific profiles.
We are about to define some specific profiles for Approve and Disapprove
API commands.
- Define the following six general resource profiles:
CCVAPI.APP.TOURDT.PROJMAN
CCVAPI.DIS.TOURDT.PROJMAN
CCVAPI.APP.TOURDT.QATEAM
CCVAPI.DIS.TOURDT.QATEAM
CCVAPI.APP.TOURDT.APPDEV
CCVAPI.DIS.TOURDT.APPDEV
Give these profiles a UACC of NONE.
- Define three group profiles: TOURPJ, TOURQA, and
TOURAD.
- Add the group profiles to the access lists of the appropriate
general resource profiles, as shown in Figure 1.
- Add one or more users to each group profile.
In the steps that
follow, you will test these new security rules. There are several
ways to do this. To perform the testing yourself, consider temporarily
adding your own user ID to each of the three group profiles, so that
you can represent all three approver roles without logging on under
different user IDs.