Authorizations for CICS regions

If the LOGSTRM resource class is active, the level of authorization required depends on whether log streams are always explicitly defined to the MVS™ system logger.

Ensure that the CICS® region user ID is authorized to write to, and create if necessary, the log streams and log stream data sets that are used for its system log and general logs. See Defining the logger environment for CICS. You do this by granting the appropriate access authorization to log stream profiles in the RACF® LOGSTRM general resource class:

  • If CICS is expected to create log streams dynamically, CICS must have ALTER authority to the relevant log stream (LOGSTRM) profiles, and UPDATE authority to the relevant coupling facility structure (IXLSTR and IXGLOGR) profiles. Here is an example: 
    PERMIT region_userid.applid.* CLASS(LOGSTRM) ACCESS(ALTER)
       ID(region_userid)
PERMIT IXLSTR.structurename CLASS(FACILITY) ACCESS(UPDATE)
       ID(region_userid)
    PERMIT IXGLOGR.region_userid.* CLASS(DATASET) ACCESS(UPDATE)
ID(region_userid)
  • If all the log streams to which CICS writes are already defined to MVS, CICS requires only UPDATE authority to the log stream profiles: 
    PERMIT region_userid.applid* CLASS(LOGSTRM) ACCESS(UPDATE)
      ID(region_userid)
    PERMIT IXGLOGR.region_userid.* CLASS(DATASET) ACCESS(UPDATE)
ID(region_userid)

In the above examples, region_userid.applid.* is the generic profile name of the log stream resource. These examples illustrate a resource name prefixed by the region user ID and applid. region_userid is the CICS region user ID under which CICS is running, either as a started task or batch job.

Permit READ access to those users who read the CICS log streams. You must permit UPDATE access to those users who update journals by granting the user the appropriate authority to the log stream, in the LOGSTRM resource class, and to the JOURNALNAME in the JCICSJCT class. You must also grant access to the data set profile protecting the data set that contains the log stream.

The user ID for the JCICSJCT is the logon user ID, not the CICS region user ID. The example shows how to define it: 
PERMIT journal_name CLASS(JCICSJCT) ACCESS(UPDATE)ID(logon_userid)
You can define the generic profile in the following example to cover all the log streams referenced by the CICS region identified by its region user ID and applid: 
RDEFINE LOGSTRM region_userid.** UACC(NONE)
If, however, you have multiple CICS systems sharing the same region user ID, but with differing security requirements, include the applid in the generic profile: 
RDEFINE LOGSTRM region_userid.applid.* UACC(NONE)
The following example allows the CICS region user ID under which CICS is running to write journal and log records to log streams in the named coupling facility structure: 
PERMIT IXLSTR.structurename CLASS(FACILITY) ACCESS(UPDATE)
       ID(region_userid)
The following examples give access to two categories of user: 
PERMIT region_userid.applid.* CLASS(LOGSTRM) ACCESS(READ)
       ID(authorized_browsers)
PERMIT region_userid.applid* CLASS(LOGSTRM) ACCESS(UPDATE)
       ID(archive_userid)

In these examples, archive_userid is the user ID under which an application program runs to purge old data from CICS logs when the data is no longer required and authorized_browsers refers to the user IDs of users allowed to read log streams but not to purge data.

If several CICS regions share the same CICS region user ID, you can make profiles more generic by specifying * for the applid qualifier.

The number of profiles you define depends on the naming conventions of the logs and to what extent you can use generic profiling.