How to setup rules for IBM File Manager for CICS(FM/CICS)?

How to setup rules for IBM File Manager for CICS(FM/CICS)?

search cancel

How to setup rules for IBM File Manager for CICS(FM/CICS)?

book

Article ID: 14040

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 - z/OS ACF2 - MISC

Issue/Introduction

How to setup rules for IBM File Manager for CICS(FM/CICS)?

Environment

Release:
Component: ACF2MS

Resolution

The following facility class profile is used to determine whether File Manager checks access for any given CICS resource.

XXXX.CICS.RESOURCE

Here is an example of activating FM/CICS resource checking.

RDEF FACILITY XXXX.CICS.RESOURCE AUDIT(NONE) +
UACC(READ) OWNER(TYRONED)
SETROPTS RACLIST(FACILITY) REFRESH

If this profile has been defined and the user has an access of read or more then FM/CICS perform resource security checking using the XFACILIT class profiles described below.

There is equivalent ACF2 command for RDEF since all resource are protected by default.

To allow a user read access which will cause FM/CICS perform resource security checking using the XFACILIT class the following rule can be used.

ACF
SET RESOURCE(FAC)
RECKEY XXXX ADD( CICS.RESOURCE UID(user UID string) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)

The XFACILIT Resource class should be made resident. The following ACF2 commands will add an ACF2 GSO INFODIR entry for the Resource Class XFACILIT TYPE XFC.

ACF
SET CONTROL(GSO)
INSERT INFODIR TYPES(R-RXFC)
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(XFC)

Examples for RACF FM/CICS XFACILIT class definitions

Case 1. Ensure all files on CICSDEV can only be accessed read

ACF
SET RESOURCE(XFC)
RECKEYXXXX ADD( SYSPLEXA.CICSDEV.FILE.- UID(userid) SERVICE(READ) ALLOW)
F ACF2,REBUILD(XFC)

Case 2. Ensure all CICS resources on CICSDEV can only be accessed read

ACF
SET RESOURCE(XFC)
RECKEY XXXX ADD( SYSPLEXA.CICSDEV.- UID(userid) SERVICE(READ) ALLOW)
F ACF2,REBUILD(XFC)

Case 3. Allow update against all CICS resources on CICSDEV and allow SET processing to the systems programmer userid

ACF
SET RESOURCE(XFC)
RECKEY XXXX ADD( SYSPLEXA.CICSDEV.- UID(sysprog) SERVICE(DELETE) ALLOW)
F ACF2,REBUILD(XFC)

Case 4. Allow a specific user full access to FILE names beginning with FM

ACF
SET RESOURCE(XFC)
RECKEY XXXX ADD( SYSPLEXA.CICSDEV.FILE.FM- UID(fmuser1) SERVICE(DELETE) ALLOW)
F ACF2,REBUILD(XFC)

Notes on RACF FM/CICS Level of Access

READ: This allows read only functions like browse, print and view to run. The user is not allowed to modify a CICS resource.

UPDATE: This allows update functions like edit, data create, copy to, and the ability to delete TS queues and empty TD queues from the resource list displays.

CONTROL: This allows CICS SET function processing to change the status of a resource and the ability to purge tasks with outstanding enqueues for the XFACILIT class with resource type ENQ. If the user does not have CONTROL access then the status fields that were modifiable on the resource list panels are protected for resources they are not allowed to modify.

Translation of RACF Access to ACF2 Service:

RACF Access       ACF2 Service   
  READ            READ 
  UPDATE          UPDATE       
  CONTROL         DELETE       
  ALTER           ADD          
  EXECUTE         EXECUTE

Feedback

thumb_up Yes

thumb_down No