How do I Implement SP and Secondary Resource Checking in CA ACF2
Article ID: 27020
Updated On:
Products
Issue/Introduction
Introduction:
CICS System Programming (SP) commands such as those used with CEMT are a special subset of EXEC CICS commands that users can issue. These commands enable you to access system and resource information that defines a resource. These commands also let you change some of these resource definitions and run-time values. Typically, systems programmers use these commands, but application programs can also issue them. Because you do not want everyone to have access to these commands, you will want to protect them.
System Programming (SP) command rules provide security checking for the SP commands. The following table lists the SERVICE keywords and command verbs that command security applies to:
| CICS EXEC Command Verb | SERVICE Keyword in rule |
| CREATE | ADD |
| DISCARD | ADD |
| COLLECT | READ |
| INQUIRE | READ |
| ACQUIRE | UPDATE |
| DISABLE | UPDATE |
| ENABLE | UPDATE |
| EXTRACT | UPDATE |
| PERFORM | UPDATE |
| RESYNC | UPDATE |
| SET | UPDATE |
The resource name in the rule is the 1- to 12-character command defined by IBM in their external security manager implementation. These names are provided in the IBM CICS-RACF Security Guide. You can use an abbreviation when you execute the command, but CICS will translate it into the full command name for the validation.
A list of commands is included here...
| XCMD RESOURCE KEY | ACCESS LEVEL REQUIRED | SP CICS COMMAND |
| AUTINSTMODEL | READ | INQUIRE AUTINSTMODEL |
| ADD | DISCARD AUTINSTMODEL | |
| AUTOINSTALL | READ | INQUIRE AUTOINSTALL |
| UPDATE | SET AUTOINSTALL | |
| BEAN | READ | INQUIRE BEAN |
| BRFACILITY | READ | INQUIRE BRFACILITY |
| UPDATE | SET BRFACILITY | |
| CFDTPOOL | READ | INQUIRE CFDTPOOL |
| CLASSCACHE | READ | INQUIRE CLASSCACHE |
| UPDATE | PERFORM CLASSCACHE | |
| UPDATE | SET CLASSCACHE | |
| CONNECTION | READ | INQUIRE CONNECTION |
| UPDATE | SET CONNECTION | |
| ADD | CREATE CONNECTION | |
| ADD | DISCARD CONNECTION | |
| CORBASERVER | READ | INQUIRE CORBASERVER |
| UPDATE | SET CORBASERVER | |
| ADD | CREATE CORBASERVER | |
| ADD | DISCARD CORBASERVER | |
| UPDATE | PERFORM CORBASERVER | |
| DB2CONN | READ | INQUIRE DB2CONN |
| UPDATE | SET DB2CONN | |
| ADD | CREATE DB2CONN | |
| ADD | DISCARD DB2CONN | |
| DB2ENTRY | READ | INQUIRE DB2ENTRY |
| UPDATE | SET DB2ENTRY | |
| ADD | CREATE DB2ENTRY | |
| ADD | DISCARD DB2ENTRY | |
| DB2TRAN | READ | INQUIRE DB2TRAN |
| UPDATE | SET DB2TRAN | |
| ADD | CREATE DB2TRAN | |
| ADD | DISCARD DB2TRAN | |
| DELETSHIPPED | READ | INQUIRE DELETSHIPPED |
| UPDATE | SET DELETSHIPPED | |
| UPDATE | PERFORM DELETSHIPPED | |
| DISPATCHER | READ | INQUIRE DISPATCHER |
| UPDATE | SET DISPATCHER | |
| DJAR | READ | INQUIRE DJAR |
| ADD | CREATE DJAR | |
| ADD | DISCARD DJAR | |
| UPDATE | PERFORM DJAR | |
| DOCTEMPLATE | READ | INQUIRE DOCTEMPLATE |
| DSNAME | READ | INQUIRE DSNAME |
| UPDATE | SET DSNAME | |
| DUMP | UPDATE | PERFORM DUMP |
| DUMPDS | READ | INQUIRE DUMPDS |
| UPDATE | SET DUMPDS | |
| ENQMODEL | READ | INQUIRE ENQMODEL |
| UPDATE | SET ENQMODEL | |
| ADD | CREATE ENQMODEL | |
| EXCI | READ | INQUIRE EXCI |
| EXITPROGRAM | UPDATE | EXEC CICS ENABLE PROGRAM |
| UPDATE | EXEC CICS DISABLE PROGRAM | |
| UPDATE | EXEC CICS EXTRACT EXIT | |
| UPDATE | EXEC CICS RESYNC ENTRYNAME | |
| READ | INQUIRE EXITPROGRAM | |
| FILE | READ | INQUIRE FILE |
| UPDATE | SET FILE | |
| ADD | CREATE FILE | |
| ADD | DISCARD FILE | |
| HOST | READ | INQUIRE HOST |
| UPDATE | SET HOST | |
| IRC | READ | INQUIRE IRC |
| UPDATE | SET IRC JOURNALMODEL READ EXEC CICS INQUIRE JOURNALMODEL | |
| ADD | EXEC CICS DISCARD JOURNALMODEL | |
| READ | CEMT INQUIRE JMODEL | |
| JOURNALNAME | READ | INQUIRE JOURNALNAME |
| UPDATE | SET JOURNALNAME | |
| JVM | READ | INQUIRE JVM |
| JVMPOOL | READ | INQUIRE JVMPOOL |
| UPDATE | SET JVMPOOL | |
| JVMPROFILE | READ | INQUIRE JVMPROFILE |
| LINE | READ | CEMT INQUIRE LINE |
| UPDATE | CEMT SET LINE | |
| LSRPOOL | ADD | CREATE LSRPOOL |
| MAPSET | ADD | CREATE MAPSET |
| ADD | DISCARD MAPSET | |
| MODENAME | READ | INQUIRE MODENAME |
| UPDATE | SET MODENAME | |
| MONITOR | READ | INQUIRE MONITOR |
| UPDATE | SET MONITOR | |
| MVSTCB | READ | COLLECT STATISTICS |
| READ | INQUIRE MVSTCB | |
| PARTITIONSET | ADD | CREATE PARTITIONSET |
| ADD | DISCARD PARTITIONSET | |
| PARTNER | READ | INQUIRE PARTNER |
| ADD | CREATE PARTNER | |
| ADD | DISCARD PARTNER | |
| PIPELINE | ADD | CREATE PIPELINE |
| ADD | DISCARD PIPELINE | |
| READ | INQUIRE PIPELINE | |
| UPDATE | PERFORM PIPELINE | |
| UPDATE | SET PIPELINE | |
| PROCESSTYPE | ADD | CEMT DEFINE PROCESSTYPE |
| ADD | EXEC CICS CREATE PROCESSTYPE | |
| ADD | EXEC CICS DISCARD PROCESSTYPE | |
| READ | CEMT INQUIRE PROCESSTYPE | |
| UPDATE | CEMT SET PROCESSTYPE | |
| PROFILE | READ | INQUIRE PROFILE |
| ADD | CREATE PROFILE | |
| ADD | DISCARD PROFILE | |
| PROGRAM | READ | INQUIRE PROGRAM |
| UPDATE | SET PROGRAM | |
| ADD | CREATE PROGRAM | |
| ADD | DISCARD PROGRAM | |
| REQID | READ | EXEC CICS INQUIRE REQID |
| RESETTIME | UPDATE | PERFORM RESETTIME |
| REQUESTMODEL | READ | INQUIRE REQUESTMODEL |
| RRMS | READ | INQUIRE RRMS |
| SECURITY | UPDATE | PERFORM SECURITY REBUILD |
| SESSIONS | ADD | CREATE SESSIONS |
| ADD | DISCARD SESSIONS | |
| SHUTDOWN | UPDATE | PERFORM SHUTDOWN |
| STATISTICS | READ | INQUIRE STATISTICS |
| UPDATE | SET STATISTICS | |
| READ | EXEC CICS COLLECT STATISTICS | |
| UPDATE | EXEC CICS EXTRACT STATISTICS | |
| UPDATE | EXEC CICS PERFORM STATISTICS RECORD | |
| STORAGE | READ | INQUIRE STORAGE |
| STREAMNAME | READ | INQUIRE STREAMNAME |
| SUBPOOL | READ | INQUIRE SUBPOOL |
| SYSDUMPCODE | READ | INQUIRE SYSDUMPCODE |
| UPDATE | SET SYSDUMPCODE | |
| SYSTEM | READ | INQUIRE SYSTEM |
| UPDATE | SET SYSTEM | |
| TASK | READ | INQUIRE TASK |
| READ | INQUIRE TASK LIST | |
| UPDATE | SET TASK LIST | |
| TCLASS | READ | INQUIRE TCLASS |
| UPDATE | SET TCLASS | |
| ADD | DISCARD TCLASS | |
| READ | INQUIRE TRANCLASS | |
| UPDATE | SET TRANCLASS | |
| ADD | CREATE TRANCLASS | |
| ADD | DISCARD TRANCLASS | |
| TCPIP | READ | INQUIRE TCPIP |
| UPDATE | SET TCPIP | |
| TCPIPSERVICE | READ | INQUIRE TCPIPSERVICE |
| UPDATE | SET TCPIPSERVICE | |
| ADD | CREATE TCPIPSERVICE | |
| ADD | DISCARD TCPIPSERVICE | |
| TDQUEUE | READ | INQUIRE TDQUEUE |
| UPDATE | SET TDQUEUE | |
| ADD | CREATE TDQUEUE | |
| ADD | DISCARD TDQUEUE | |
| TERMINAL | READ | INQUIRE TERMINAL |
| UPDATE | SET TERMINAL | |
| ADD | CREATE TERMINAL | |
| ADD | DISCARD TERMINAL | |
| READ | INQUIRE NETNAME | |
| UPDATE | SET NETNAME | |
| TRACEDEST | READ | EXEC CICS INQUIRE TRACEDEST |
| UPDATE | EXEC CICS SET TRACEDEST | |
| TRACEFLAG | READ | EXEC CICS INQUIRE TRACEFLAG |
| UPDATE | EXEC CICS SET TRACEFLAG | |
| TRACETYPE | READ | EXEC CICS INQUIRE TRACETYPE |
| UPDATE | EXEC CICS SET TRACETYPE | |
| TRANDUMPCODE | READ | INQUIRE TRANDUMPCODE |
| UPDATE | SET TRANDUMPCODE | |
| TRANSACTION | READ | INQUIRE TRANSACTION |
| UPDATE | SET TRANSACTION | |
| ADD | CREATE TRANSACTION | |
| ADD | DISCARD TRANSACTION | |
| TSMODEL | READ | INQUIRE TSMODEL |
| ADD | CREATE TSMODEL | |
| ADD | DISCARD TSMODEL | |
| TSPOOL | READ | INQUIRE TSPOOL |
| TSQUEUE | READ | EXEC CICS INQUIRE TSQUEUE |
| TSQNAME | READ | INQUIRE TSQNAME |
| UPDATE | SET TSQNAME | |
| TYPETERM | ADD | CREATE TYPETERM |
| ADD | DISCARD TYPETERM | |
| UOW | READ | INQUIRE UOW |
| UPDATE | SET UOW | |
| UOWDSNFAIL | READ | INQUIRE UOWDSNFAIL |
| UOWENQ | READ | INQUIRE UOWENQ |
| UOWLINK | READ | INQUIRE UOWLINK |
| UPDATE | EXEC CICS SET UOWLINK | |
| URIMAP | READ | INQUIRE URIMAP |
| UPDATE | SET URIMAP | |
| ADD | CREATE URIMAP | |
| ADD | DISCARD URIMAP | |
| VTAM | READ | INQUIRE VTAM |
| UPDATE | SET VTAM | |
| WEB | READ | INQUIRE WEB |
| UPDATE | SET WEB | |
| WEBSERVICE | ADD | CREATE WEBSERVICE |
| ADD | DISCARD WEBSERVICE | |
| READ | INQUIRE WEBSERVICE | |
| UPDATE | SET WEBSERVICE | |
| WORKREQUEST | READ | INQUIRE WORKREQUEST |
| UPDATE | SET WORKREQUEST |
The resource type code for SP command rules is XCD, which can be altered by your site, if desired. This is controlled by the ACF2/CICS XCMD CICSKEY control record.
To activate command security using the ACF2/CICS interface, ensure that these steps are performed:
- The CICS interface lets you globally request command security for all transactions by specifying the initialization parameter, OPTION CMDSEC=ALWAYS. Include the CMDSEC keyword in the appropriate transaction definitions according to the instructions in the CICS Interface Parameters chapter. The CMDSEC keyword activates command security for these resources.
- Ensure that the CICS interface CICSKEY resource definition for the XCMD resource specifies OPTION=VALIDATE.
- Write SP command resource rules for the commands that you want to allow access to.
In addition, if RESSEC(YES) is also active in the environment, access to the specific transaction, program, file, transient data queue, or temporary storage queue name can also be validated. The access type or SERVICE to use is as follows:
- For INQUIRE, use SERVICE(READ).
- For SET, use SERVICE(UPDATE).
- For CREATE and DISCARD, use SERVICE(ADD).
CICS performs the resource security check as long as you have set up your ACF2/CICS parameters correctly:
- Specify OPTION=VALIDATE in the CICSKEY definition for that resource to ensure that the CICS interface performs resource level security in addition to command security.
- You might globally activate resource level security checking for all transactions by specifying OPTION RESSEC=YES in the CICS interface system initialization parameter.
Instructions:
Sample SP Command Rules
Scenario: The security administrator wants to limit who can issue system programming or SP commands. In particular, he wants to give application development managers access to the EXEC CICS INQUIRE PROGRAM command.
An example of this command is: CEMT INQ PROGRAM(PAYMAST)
First, define the SP commands as a resource to the CICS interface through the CICSKEY definition. Because this command is performing an inquiry on the program PAYMAST, you can also ensure that the CICS interface performs a security check for the program resource.
The following CICSKEY definitions define the SP command resource (XCMD) and the program resource (PROGRAM).
CICSKEY RESOURCE=XCMD,OPTION=VALIDATE,TYPE=XCD CICSKEY RESOURCE=PROGRAM,OPTION=VALIDATE,TYPE=CPC
The CICS interface first validates the request for the CICSKEY resource called XCMD against the SP command resource rule. The following resource rule lets the application development managers (ADM) issue the INQUIRE, SET, CREATE and DISCARD commands for the EXEC CICS PROGRAM command. In addition, application development programmers (ADP) and application development clients (ADC) can issue the EXEC CICS INQUIRE PROGRAM command to view program definitions.
$KEY(PROGRAM) TYPE(XCD) UID(ADM) SERVICE(UPDATE,READ,ADD) ALLOW UID(ADP) SERVICE(READ) ALLOW UID(ADC) SERVICE(READ) ALLOW
In this rule set, the resource name is PROGRAM, the type code is XCD, and the access (INQUIRE) is matched against the SERVICE(UPDATE,READ) specification. Then, if RESSEC=ALWAYS (or YES) is active for the task issuing the SP command, an additional resource security check is made. This is against the specific resource that the command is directed towards. In this case, the second validation is performed against the CICSKEY resource called PROGRAM.
The SERVICE is treated as follows:
- For INQUIRE, SERVICE(READ).
- For SET, use SERVICE(UPDATE).
- For CREATE and DISCARD, SERVICE(ADD).
- SERVICE is not used for PROGRAM EXECUTION.
Note: Since both SP command validation and standard program execution utilize the same CPC rules, you need to ensure that users who are allowed to execute the programs are not inadvertently given SP command authority.
In this case, for program execution, access is given by
UID(ADC) ALLOW
This would automatically give all SP command access as well; therefore, further rules are required to prevent the SP commands.
UID(ADC) SERVICE(READ,UPDATE,ADD) PREVENT
The following resource rule lets the application development managers (ADM) issue the INQUIRE, SET, CREATE and DISCARD SP commands for program PAYMAST, but does not allow them to execute the program.
In addition, application development programmers (ADP) can issue the INQUIRE SP command for program PAYMAST, but cannot execute the program. Also, application development clients (ADC) cannot issue any of the SP commands for program PAYMAST, but can execute program PAYMAST.
$KEY(PAYMAST) TYPE(CPC) UID(ADM) SERVICE(READ,UPDATE,ADD) ALLOW UID(ADP) SERVICE(READ) ALLOW UID(ADC) SERVICE(READ,UPDATE,ADD) PREVENT UID(ADC) ALLOW
The following allows the Application Development Programmer (ADP) to issue a CEMT perform shutdown command. Perform equates to the update service level.
$KEY(SHUTDOWN) TYPE(XCD) UID(ADP) SERVICE(UPDATE) ALLOW
Environment
Component: ACF2MS
Resolution
-
Feedback
