Security keys for API commands
Here is the format of the security key that the CICS® Configuration Manager server creates to check a user's authority to perform an API command:
(1) >>-prefix--.--+-LIS.-+-object_type-----+-.location_type.-+-location_name-+-+->< | '-ALL-------------' +-ALL-----------+ | | '-NONE----------' | +-+-ADD-----+-.object_type.location_type.location_name-------+ | +-ALT-----+ | | | (2) | | | +-CPY-----+ | | +-DIO-----+ | | +-INO-----+ | | +-NEO-----+ | | | (3) | | | +-REC-----+ | | +-REM-----+ | | '-REN-----' | +-+-CRE-+-.object_type.location_type.-+-location_name-+------+ | +-DEL-+ '-NONE----------' | | +-INQ-+ | | '-UPD-' | +-+-APP-+-.migration_scheme.approval_profile.approver_role---+ | '-DIS-' | +-+-REA-+-.migration_scheme----------------------------------+ | +-UNR-+ | | +-MIG-+ | | +-BAC-+ | | +-INS-+ | | +-NEW-+ | | '-DSC-' | +-IMP.target_CICS_configuration------------------------------+ '-DEP.-+-COLLECT.CCONFIG.CICS_configuration-+----------------' '-REPORT.NONE.NONE-------------------'
- In security keys, the KEYASSOCIATION object type is abbreviated to KEYASSOC.
- For the Copy command, location_type and location_name refer to the target location (where the object is being copied to).
- For the Recover command, location_type is CCONFIG and location_name is the name of the CICS configuration where the change occurred (stored in the BAImage journal record).
For descriptions of the fields in this key, see API parameters.
The server calls the external security manager (such as RACF®) to check whether this key matches a general resource profile for which the user has READ access authority. If it does, the server performs the command.
As a starting point, consider temporarily defining the following general resource profile with a universal access authority (UACC) of READ:
CCVAPI.**
where CCVAPI is the prefix that you have chosen for the security keys.
Starting with such a general resource profile enables you to activate security checking in CICS Configuration Manager and then continue to work as before while you define more specific general resource profiles.
For examples of general resource profiles, and the JCL to define those profiles in a RACF environment, see member CCVXSAF2 of the sample library SCCVSAMP.
API command name abbreviations in the security key
To limit the security key length, API command names are abbreviated to three letters:
- ADD
- Add
- ALT
- Alter
- APP
- Approve
- BAC
- Backout
- CPY
- Copy
- CRE
- Create
- DEL
- Delete
- DEP
- Deploy
- DIO
- Discard (an ad hoc selection of resource definitions)
- DIS
- Disapprove
DSC
Discard (the resource definitions in a change package)
- IMP
- Import
- INO
- Install (an ad hoc selection of resource definitions)
- INQ
- Inquire
- INS
- Install (the resource definitions in a change package)
- LIS
- List
- MIG
- Migrate
- NEO
- Newcopy (an ad hoc selection of resource definitions)
- NEW
- Newcopy (the resource definitions in a change package)
- REA
- Ready
- REC
- Recover
- REM
- Remove
- REN
- Rename
- UNR
- Unready
- UPD
- Update
Restricting access to the ISPF dialog
To start the CICS Configuration Manager ISPF dialog, users must be able to perform a List command for the SvrInfo repository object; for details, see SvrInfo (server information). You can use this requirement to restrict access to the ISPF dialog.