Security keys for resource definitions
Here is the format of the security keys that the CICS® Configuration Manager server creates to check a user's authority to manipulate resource definitions:
- 1
- If the target resource definition key specifies a ResGroup that does not exist, then the API command the attempts to create the ResGroup. This involves an additional security key, as if a Create API command had been requested for the ResGroup. Note that this additional security checking does not involve API command security checking for a Create API command; just resource definition security checking for the ResGroup that needs to be created (as per the entry for Create in this table).
- 2
- If the resource type is a group/ResGroup, then specify a "-" (hyphen) character as the group parameter.
- 3
- If the source CICS configuration refers to an export file, then no security check is performed for the source resource definition.
- 4
- You can think of a Rename API command as consisting of two operations:
delete the source resource definition, and then create the target
resource definition. Both operations require ALTER access authority. A Rename API command for a group/ResGroup involves resource definition security checks (requiring ALTER access authority) for all of the following:
- Each source resource definition (in the original group/ResGroup)
- Each target resource definition (in the renamed group/ResGroup)
- When renaming a ResGroup (not a group): the target ResGroup
- 5
- The CICS configuration parameter for Import refers to the target CICS configuration where the resource definition is to be imported (copied) to, not the source CICS configuration (that refers to the export file) where the resource definition is to be imported from.
- 6
- If the resource type is not associated with
a group/ResGroup, then specify a "-" (hyphen) character as the group parameter.
If the resource type does not have a unique name, then specify a "-" (hyphen) character as the name parameter.
For example, specify group as a hyphen and name as a hyphen for the CICSPlex® SM full-function BAS APPLDEF, RASINDSC, and SYSLINK resource types.
For descriptions of the fields in these keys, see API parameters.
For each resource definition, the Copy and Rename API commands create two security keys, and make two calls to the external security manager: one for the source resource definition, and another for the target resource definition.
For the Rename API command, the parameter for the CICS configuration is labelled "target" in both security keys because you can only rename a resource definition within the same CICS configuration.
To simplify group resource profile definitions, the resource definition name is the last qualifier in the security key: some resource types may contain a period (.) as part of the resource name.
As a starting point, consider temporarily defining the following general resource profile with a universal access authority (UACC) of ALTER:
CCVRES.**
where CCVRES is the prefix that you have chosen for the security keys.
Starting with such a general resource profile enables you to activate security checking in CICS Configuration Manager and then continue to work as before while you define more specific general resource profiles.
For examples of general resource profiles, and the JCL to define those profiles in a RACF environment, see member CCVXSAF3 of the sample library SCCVSAMP.
For more examples of general resource profiles, see Example security scenario.