Security planning for CICSPlex SM

CICSPlex® SM uses a SAF-compliant external security manager, such as RACF® to prevent unauthorized access to CICSPlex SM functions and CICS® resources, and to control the simulation of CICS command checking and CICS resource checking.

In both cases, security checking is handled by the CMASs managing the CICS systems that are the target of any request to access a resource. For example, if a CICSplex is managed by two CMASs, and a request is made to access a resource in all CICS systems belonging to that CICSplex, the security check is performed in both CMASs.

To activate security checking, you must modify the JCL used to start the CMAS or its managed CICS systems. If security checking is switched off for the CICS system, no checking occurs, regardless of the CMAS setting. However, if security checking is switched off for the CMAS but switched on for the CICS system, the CICS system is not able to connect to the CMAS.

Begin by deciding how much security checking you need. In particular, identify those users who need access to CICSPlex SM, and ensure that an individual user has the same user ID across all systems on which a CMAS is installed. The user ID against which the security check is performed is the RACF ID that has been used to sign on to CICSPlex SM. Consider also the type of security checking you want to implement.

See Implementing CICSPlex SM security for more information about how to set up CICSPlex SM security.

Protecting access to CICSPlex SM functions and CICS resources

To prevent unauthorized access, you create security profiles for combinations of CICSPlex SM functions, and CICS resources that are to be protected. In most cases, the security provided by CICSPlex SM security profiles is adequate.

An external security manager is also used to protect CICSPlex SM libraries, procedures and Web User Interface resources. Full details of how to protect CICSPlex SM libraries and procedures are provided in Implementing CICSPlex SM security. In order to protect Web User Interface views, menus, help information and the View Editor, you need to create an appropriate profile in the FACILITY class. See Controlling access to Web User Interface resources for more information.

Special considerations for BAS

Take special care in the protection of the BAS views, so that unauthorized users cannot create and administer resources. The equivalent in RDO terms is leaving your CSD unprotected.

Also take care if you use the EXEC CICS CREATE command to build new resources. Any definition created with the CICSplex as the context is automatically distributed to all CMASs in the CICSplex. Therefore, giving a user authority to create BAS objects is equivalent to giving authority to install resources on any CICS system in the CICSplex. When the CICS system starts, there is no check on who installed the resource in the system.

CICS command and resource checking

CICS command and resource checking is simulated by CICSPlex SM in the CMASs to which a request is directed. This allows you to protect CICS systems that do not support your external security manager. It also allows for a level of consolidation of your security checking.

Determine where CICS resource and command checking is in effect, and decide whether it needs to be retained along with other CICSPlex SM security checking.