How To Limit Users To Shutdown Specific CICS Regions?
search cancel

How To Limit Users To Shutdown Specific CICS Regions?

book

Article ID: 11267

calendar_today

Updated On:

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC Easytrieve Report Generator for Common Services INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction



Is there a way to allow users to shut down their own CICS regions, but not allow them to shut down other CICS regions?

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

The CICS transaction to shutdown a CICS region cleanly is:

CEMT P SHUT

(This is issued from native CICS.)

To limit the users to issuing this only on their CICS region(s):

  1. Setup different facilities in CA Top Secret for the different CICS regions. 
    TSS MODIFY(FAC(USERnn=NAME=cicsfac)) 
    TSS MODIFY(FAC(cicsfac=xxxx))
    for any control options to be set other than the defaults. 

    The TSS MODIFY command is only valid until the next recycle of CA Top Secret. To make these changes permanent, the corresponding statements must be added to the CA Top Secret parameter file. 
    FAC(USERnn=NAME=cicsfac) 
    FAC(cicsfac=xxxx)
  2. Add the facility to the region acid for the CICS region: 
    TSS ADD(acid) MASTFAC(cicsfac) 
    If the CICS region is started as a started task, the region acid is the acid in the started task table for the CICS procname. Issue TSS LIST(STC) to see the procnames in the started task table. For example, TSS LIST(STC) has the following entry in the list: 
    STC        = CTS32A   ACID       = CICS32A 
    For the CICS region with procname CTS32A, the region acid is CICS32A. 

    If the CICS region is started as a batch job, the region acid is the acid the job runs under. 

  3. Add the facility to the users that need it:
     
    TSS ADD(acid) FACILITY(fac)
    where 'acid' is the user acid, an attached profile, or the ALL record is the facility defined in step 1. 

  4. Define the CEMT transaction to CA Top Secret if not already done: 
    TSS ADD(dept) OTRAN(CEMT) 
  5. Permit the CEMT transaction to the users that need it with a facility restriction(s) of the facilities the users are limited to. 
    TSS PERMIT(acid) OTRAN(CEMT) ACCESS(EXECUTE) FACILITY(cicsfac)