How do I Implement SP and Secondary Resource Checking in CA ACF2

Document ID : KB000027020
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction:

CICS System Programming (SP) commands such as those used with CEMT are a special subset of EXEC CICS commands that users can issue. These commands enable you to access system and resource information that defines a resource. These commands also let you change some of these resource definitions and run-time values. Typically, systems programmers use these commands, but application programs can also issue them. Because you do not want everyone to have access to these commands, you will want to protect them.

System Programming (SP) command rules provide security checking for the SP commands. The following table lists the SERVICE keywords and command verbs that command security applies to:

CICS EXEC Command VerbSERVICE Keyword in rule
CREATEADD
DISCARDADD
COLLECTREAD
INQUIREREAD
ACQUIREUPDATE
DISABLEUPDATE
ENABLEUPDATE
EXTRACTUPDATE
PERFORMUPDATE
RESYNCUPDATE
SETUPDATE

The resource name in the rule is the 1- to 12-character command defined by IBM in their external security manager implementation. These names are provided in the IBM CICS-RACF Security Guide. You can use an abbreviation when you execute the command, but CICS will translate it into the full command name for the validation.

A list of commands is included here...

XCMD RESOURCE KEYACCESS LEVEL REQUIREDSP CICS COMMAND
AUTINSTMODELREADINQUIRE AUTINSTMODEL
ADDDISCARD AUTINSTMODEL
AUTOINSTALLREADINQUIRE AUTOINSTALL
UPDATESET AUTOINSTALL
BEANREADINQUIRE BEAN
BRFACILITYREADINQUIRE BRFACILITY
UPDATESET BRFACILITY
CFDTPOOLREADINQUIRE CFDTPOOL
CLASSCACHEREADINQUIRE CLASSCACHE
UPDATEPERFORM CLASSCACHE
UPDATESET CLASSCACHE
CONNECTIONREADINQUIRE CONNECTION
UPDATESET CONNECTION
ADDCREATE CONNECTION
ADDDISCARD CONNECTION
CORBASERVERREADINQUIRE CORBASERVER
UPDATESET CORBASERVER
ADDCREATE CORBASERVER
ADDDISCARD CORBASERVER
UPDATEPERFORM CORBASERVER
DB2CONNREADINQUIRE DB2CONN
UPDATESET DB2CONN
ADDCREATE DB2CONN
ADDDISCARD DB2CONN
DB2ENTRYREADINQUIRE DB2ENTRY
UPDATESET DB2ENTRY
ADDCREATE DB2ENTRY
ADDDISCARD DB2ENTRY
DB2TRANREADINQUIRE DB2TRAN
UPDATESET DB2TRAN
ADDCREATE DB2TRAN
ADDDISCARD DB2TRAN
DELETSHIPPEDREADINQUIRE DELETSHIPPED
UPDATESET DELETSHIPPED
UPDATEPERFORM DELETSHIPPED
DISPATCHERREADINQUIRE DISPATCHER
UPDATESET DISPATCHER
DJARREADINQUIRE DJAR
ADDCREATE DJAR
ADDDISCARD DJAR
UPDATEPERFORM DJAR
DOCTEMPLATEREADINQUIRE DOCTEMPLATE
DSNAMEREADINQUIRE DSNAME
UPDATESET DSNAME
DUMPUPDATEPERFORM DUMP
DUMPDSREADINQUIRE DUMPDS
UPDATESET DUMPDS
ENQMODELREADINQUIRE ENQMODEL
UPDATESET ENQMODEL
ADDCREATE ENQMODEL
EXCIREADINQUIRE EXCI
EXITPROGRAMUPDATEEXEC CICS ENABLE PROGRAM
UPDATEEXEC CICS DISABLE PROGRAM
UPDATEEXEC CICS EXTRACT EXIT
UPDATEEXEC CICS RESYNC ENTRYNAME
READINQUIRE EXITPROGRAM
FILEREADINQUIRE FILE
UPDATESET FILE
ADDCREATE FILE
ADDDISCARD FILE
HOSTREADINQUIRE HOST
UPDATESET HOST
IRCREADINQUIRE IRC
UPDATESET IRC JOURNALMODEL READ EXEC CICS INQUIRE JOURNALMODEL
ADDEXEC CICS DISCARD JOURNALMODEL
READCEMT INQUIRE JMODEL
JOURNALNAMEREADINQUIRE JOURNALNAME
UPDATESET JOURNALNAME
JVMREADINQUIRE JVM
JVMPOOLREADINQUIRE JVMPOOL
UPDATESET JVMPOOL
JVMPROFILEREADINQUIRE JVMPROFILE
LINEREADCEMT INQUIRE LINE
UPDATECEMT SET LINE
LSRPOOLADDCREATE LSRPOOL
MAPSETADDCREATE MAPSET
ADDDISCARD MAPSET
MODENAMEREADINQUIRE MODENAME
UPDATESET MODENAME
MONITORREADINQUIRE MONITOR
UPDATESET MONITOR
MVSTCBREADCOLLECT STATISTICS
READINQUIRE MVSTCB
PARTITIONSETADDCREATE PARTITIONSET
ADDDISCARD PARTITIONSET
PARTNERREADINQUIRE PARTNER
ADDCREATE PARTNER
ADDDISCARD PARTNER
PIPELINEADDCREATE PIPELINE
ADDDISCARD PIPELINE
READINQUIRE PIPELINE
UPDATEPERFORM PIPELINE
UPDATESET PIPELINE
PROCESSTYPEADDCEMT DEFINE PROCESSTYPE
ADDEXEC CICS CREATE PROCESSTYPE
ADDEXEC CICS DISCARD PROCESSTYPE
READCEMT INQUIRE PROCESSTYPE
UPDATECEMT SET PROCESSTYPE
PROFILEREADINQUIRE PROFILE
ADDCREATE PROFILE
ADDDISCARD PROFILE
PROGRAMREADINQUIRE PROGRAM
UPDATESET PROGRAM
ADDCREATE PROGRAM
ADDDISCARD PROGRAM
REQIDREADEXEC CICS INQUIRE REQID
RESETTIMEUPDATEPERFORM RESETTIME
REQUESTMODELREADINQUIRE REQUESTMODEL
RRMSREADINQUIRE RRMS
SECURITYUPDATEPERFORM SECURITY REBUILD
SESSIONSADDCREATE SESSIONS
ADDDISCARD SESSIONS
SHUTDOWNUPDATEPERFORM SHUTDOWN
STATISTICSREADINQUIRE STATISTICS
UPDATESET STATISTICS
READEXEC CICS COLLECT STATISTICS
UPDATEEXEC CICS EXTRACT STATISTICS
UPDATEEXEC CICS PERFORM STATISTICS RECORD
STORAGEREADINQUIRE STORAGE
STREAMNAMEREADINQUIRE STREAMNAME
SUBPOOLREADINQUIRE SUBPOOL
SYSDUMPCODEREADINQUIRE SYSDUMPCODE
UPDATESET SYSDUMPCODE
SYSTEMREADINQUIRE SYSTEM
UPDATESET SYSTEM
TASKREADINQUIRE TASK
READINQUIRE TASK LIST
UPDATESET TASK LIST
TCLASSREADINQUIRE TCLASS
UPDATESET TCLASS
ADDDISCARD TCLASS
READINQUIRE TRANCLASS
UPDATESET TRANCLASS
ADDCREATE TRANCLASS
ADDDISCARD TRANCLASS
TCPIPREADINQUIRE TCPIP
UPDATESET TCPIP
TCPIPSERVICEREADINQUIRE TCPIPSERVICE
UPDATESET TCPIPSERVICE
ADDCREATE TCPIPSERVICE
ADDDISCARD TCPIPSERVICE
TDQUEUEREADINQUIRE TDQUEUE
UPDATESET TDQUEUE
ADDCREATE TDQUEUE
ADDDISCARD TDQUEUE
TERMINALREADINQUIRE TERMINAL
UPDATESET TERMINAL
ADDCREATE TERMINAL
ADDDISCARD TERMINAL
READINQUIRE NETNAME
UPDATESET NETNAME
TRACEDESTREADEXEC CICS INQUIRE TRACEDEST
UPDATEEXEC CICS SET TRACEDEST
TRACEFLAGREADEXEC CICS INQUIRE TRACEFLAG
UPDATEEXEC CICS SET TRACEFLAG
TRACETYPEREADEXEC CICS INQUIRE TRACETYPE
UPDATEEXEC CICS SET TRACETYPE
TRANDUMPCODEREADINQUIRE TRANDUMPCODE
UPDATESET TRANDUMPCODE
TRANSACTIONREADINQUIRE TRANSACTION
UPDATESET TRANSACTION
ADDCREATE TRANSACTION
ADDDISCARD TRANSACTION
TSMODELREADINQUIRE TSMODEL
ADDCREATE TSMODEL
ADDDISCARD TSMODEL
TSPOOLREADINQUIRE TSPOOL
TSQUEUEREADEXEC CICS INQUIRE TSQUEUE
TSQNAMEREADINQUIRE TSQNAME
UPDATESET TSQNAME
TYPETERMADDCREATE TYPETERM
ADDDISCARD TYPETERM
UOWREADINQUIRE UOW
UPDATESET UOW
UOWDSNFAILREADINQUIRE UOWDSNFAIL
UOWENQREADINQUIRE UOWENQ
UOWLINKREADINQUIRE UOWLINK
UPDATEEXEC CICS SET UOWLINK
URIMAPREADINQUIRE URIMAP
UPDATESET URIMAP
ADDCREATE URIMAP
ADDDISCARD URIMAP
VTAMREADINQUIRE VTAM
UPDATESET VTAM
WEBREADINQUIRE WEB
UPDATESET WEB
WEBSERVICEADDCREATE WEBSERVICE
ADDDISCARD WEBSERVICE
READINQUIRE WEBSERVICE
UPDATESET WEBSERVICE
WORKREQUESTREADINQUIRE WORKREQUEST
UPDATESET WORKREQUEST

The resource type code for SP command rules is XCD, which can be altered by your site, if desired. This is controlled by the ACF2/CICS XCMD CICSKEY control record.

To activate command security using the ACF2/CICS interface, ensure that these steps are performed:

  1. The CICS interface lets you globally request command security for all transactions by specifying the initialization parameter, OPTION CMDSEC=ALWAYS. Include the CMDSEC keyword in the appropriate transaction definitions according to the instructions in the CICS Interface Parameters chapter. The CMDSEC keyword activates command security for these resources.

  2. Ensure that the CICS interface CICSKEY resource definition for the XCMD resource specifies OPTION=VALIDATE.

  3. Write SP command resource rules for the commands that you want to allow access to.

In addition, if RESSEC(YES) is also active in the environment, access to the specific transaction, program, file, transient data queue, or temporary storage queue name can also be validated. The access type or SERVICE to use is as follows:

  • For INQUIRE, use SERVICE(READ).

  • For SET, use SERVICE(UPDATE).

  • For CREATE and DISCARD, use SERVICE(ADD).

CICS performs the resource security check as long as you have set up your ACF2/CICS parameters correctly:

  • Specify OPTION=VALIDATE in the CICSKEY definition for that resource to ensure that the CICS interface performs resource level security in addition to command security.

  • You might globally activate resource level security checking for all transactions by specifying OPTION RESSEC=YES in the CICS interface system initialization parameter.

Instructions:

Sample SP Command Rules

Scenario: The security administrator wants to limit who can issue system programming or SP commands. In particular, he wants to give application development managers access to the EXEC CICS INQUIRE PROGRAM command.

An example of this command is: CEMT INQ PROGRAM(PAYMAST)

First, define the SP commands as a resource to the CICS interface through the CICSKEY definition. Because this command is performing an inquiry on the program PAYMAST, you can also ensure that the CICS interface performs a security check for the program resource.

The following CICSKEY definitions define the SP command resource (XCMD) and the program resource (PROGRAM).

CICSKEY RESOURCE=XCMD,OPTION=VALIDATE,TYPE=XCD
CICSKEY RESOURCE=PROGRAM,OPTION=VALIDATE,TYPE=CPC

The CICS interface first validates the request for the CICSKEY resource called XCMD against the SP command resource rule. The following resource rule lets the application development managers (ADM) issue the INQUIRE, SET, CREATE and DISCARD commands for the EXEC CICS PROGRAM command. In addition, application development programmers (ADP) and application development clients (ADC) can issue the EXEC CICS INQUIRE PROGRAM command to view program definitions.

$KEY(PROGRAM) TYPE(XCD)
UID(ADM) SERVICE(UPDATE,READ,ADD) ALLOW
UID(ADP) SERVICE(READ) ALLOW
UID(ADC) SERVICE(READ) ALLOW

In this rule set, the resource name is PROGRAM, the type code is XCD, and the access (INQUIRE) is matched against the SERVICE(UPDATE,READ) specification. Then, if RESSEC=ALWAYS (or YES) is active for the task issuing the SP command, an additional resource security check is made. This is against the specific resource that the command is directed towards. In this case, the second validation is performed against the CICSKEY resource called PROGRAM.

The SERVICE is treated as follows:

  • For INQUIRE, SERVICE(READ).

  • For SET, use SERVICE(UPDATE).

  • For CREATE and DISCARD, SERVICE(ADD).

  • SERVICE is not used for PROGRAM EXECUTION.

Note: Since both SP command validation and standard program execution utilize the same CPC rules, you need to ensure that users who are allowed to execute the programs are not inadvertently given SP command authority.

In this case, for program execution, access is given by

UID(ADC) ALLOW

This would automatically give all SP command access as well; therefore, further rules are required to prevent the SP commands.

UID(ADC) SERVICE(READ,UPDATE,ADD) PREVENT

The following resource rule lets the application development managers (ADM) issue the INQUIRE, SET, CREATE and DISCARD SP commands for program PAYMAST, but does not allow them to execute the program.

In addition, application development programmers (ADP) can issue the INQUIRE SP command for program PAYMAST, but cannot execute the program. Also, application development clients (ADC) cannot issue any of the SP commands for program PAYMAST, but can execute program PAYMAST.

$KEY(PAYMAST) TYPE(CPC)
UID(ADM) SERVICE(READ,UPDATE,ADD) ALLOW
UID(ADP) SERVICE(READ) ALLOW
UID(ADC) SERVICE(READ,UPDATE,ADD) PREVENT
UID(ADC) ALLOW

The following allows the Application Development Programmer (ADP) to issue a CEMT perform shutdown command. Perform equates to the update service level.

$KEY(SHUTDOWN) TYPE(XCD)
UID(ADP) SERVICE(UPDATE) ALLOW