Security keys for API commands

Here is the format of the security key that the CICS® Configuration Manager server creates to check a user's authority to perform an API command:

Figure 1. Security key that CICS Configuration Manager creates to check whether a user is authorized to perform an API command
Read syntax diagramSkip visual syntax diagram
                                   (1)                                         
>>-prefix--.--+-LIS.-+-object_type-----+-.location_type.-+-location_name-+-+-><
              |      '-ALL-------------'                 +-ALL-----------+ |   
              |                                          '-NONE----------' |   
              +-+-ADD-----+-.object_type.location_type.location_name-------+   
              | +-ALT-----+                                                |   
              | |     (2) |                                                |   
              | +-CPY-----+                                                |   
              | +-DIO-----+                                                |   
              | +-INO-----+                                                |   
              | +-NEO-----+                                                |   
              | |     (3) |                                                |   
              | +-REC-----+                                                |   
              | +-REM-----+                                                |   
              | '-REN-----'                                                |   
              +-+-CRE-+-.object_type.location_type.-+-location_name-+------+   
              | +-DEL-+                             '-NONE----------'      |   
              | +-INQ-+                                                    |   
              | '-UPD-'                                                    |   
              +-+-APP-+-.migration_scheme.approval_profile.approver_role---+   
              | '-DIS-'                                                    |   
              +-+-REA-+-.migration_scheme----------------------------------+   
              | +-UNR-+                                                    |   
              | +-MIG-+                                                    |   
              | +-BAC-+                                                    |   
              | +-INS-+                                                    |   
              | +-NEW-+                                                    |   
              | '-DSC-'                                                    |   
              +-IMP.target_CICS_configuration------------------------------+   
              '-DEP.-+-COLLECT.CCONFIG.CICS_configuration-+----------------'   
                     '-REPORT.NONE.NONE-------------------'                    

Notes:
  1. In security keys, the KEYASSOCIATION object type is abbreviated to KEYASSOC.
  2. For the Copy command, location_type and location_name refer to the target location (where the object is being copied to).
  3. For the Recover command, location_type is CCONFIG and location_name is the name of the CICS configuration where the change occurred (stored in the BAImage journal record).

For descriptions of the fields in this key, see API parameters.

The server calls the external security manager (such as RACF®) to check whether this key matches a general resource profile for which the user has READ access authority. If it does, the server performs the command.

As a starting point, consider temporarily defining the following general resource profile with a universal access authority (UACC) of READ:

CCVAPI.**

where CCVAPI is the prefix that you have chosen for the security keys.

Starting with such a general resource profile enables you to activate security checking in CICS Configuration Manager and then continue to work as before while you define more specific general resource profiles.

For examples of general resource profiles, and the JCL to define those profiles in a RACF environment, see member CCVXSAF2 of the sample library SCCVSAMP.

API command name abbreviations in the security key

To limit the security key length, API command names are abbreviated to three letters:

ADD
Add
ALT
Alter
APP
Approve
BAC
Backout
CPY
Copy
CRE
Create
DEL
Delete
DEP
Deploy
DIO
Discard (an ad hoc selection of resource definitions)
DIS
Disapprove
Start of changeDSCEnd of change
Start of changeDiscard (the resource definitions in a change package)End of change
IMP
Import
INO
Install (an ad hoc selection of resource definitions)
INQ
Inquire
INS
Install (the resource definitions in a change package)
LIS
List
MIG
Migrate
NEO
Newcopy (an ad hoc selection of resource definitions)
NEW
Newcopy (the resource definitions in a change package)
REA
Ready
REC
Recover
REM
Remove
REN
Rename
UNR
Unready
UPD
Update

Restricting access to the ISPF dialog

To start the CICS Configuration Manager ISPF dialog, users must be able to perform a List command for the SvrInfo repository object; for details, see SvrInfo (server information). You can use this requirement to restrict access to the ISPF dialog.