How do you define and enforce CICS security policies for different user groups?

1 CICS security components

CICS security consists of three main components: the CICS security manager, the external security manager (ESM), and the security exit. The CICS security manager is the internal component that handles the communication between CICS and the ESM, and also performs some security checks and functions. The ESM is the external component that provides the security database and the authorization service for CICS. The most common ESMs are RACF, ACF2, and Top Secret. The security exit is an optional component that allows you to customize the security processing for specific CICS resources or transactions.

2 CICS security domains

CICS security domains are logical groupings of CICS resources or transactions that have similar security requirements. For example, you can define a security domain for files, programs, transactions, terminals, web services, and so on. Each security domain has a security attribute table (SAT) that specifies the security rules and settings for that domain. You can also define global security settings that apply to all security domains in a CICS region.

3 CICS resource definitions

CICS resource definitions are the entries that identify and describe the CICS resources or transactions that are available in a CICS region. You can use the CICS resource definition online (RDO) facility or the CICS configuration manager (CCM) tool to create and manage resource definitions. Each resource definition has a resource name, a resource type, and a resource class. The resource name is the unique identifier for the resource or transaction. The resource type is the category of the resource or transaction, such as FILE, PROGRAM, TRANSID, or WEBSERVICE. The resource class is the subcategory of the resource or transaction, such as VSAM, COBOL, or SOAP.

4 CICS user profiles

CICS user profiles are the entries that identify and describe the CICS users and their access rights to CICS resources or transactions. You can use the ESM tools or commands to create and manage user profiles. Each user profile has a user ID, a password, and a group affiliation. The user ID is the unique identifier for the user. The password is the secret code that authenticates the user. The group affiliation is the association of the user with one or more groups that share common access rights.

5 CICS security policies

CICS security policies are the rules that determine the access rights of CICS users to CICS resources or transactions. You can use the ESM tools or commands to create and manage security policies. Each security policy has a profile name, a profile type, a profile class, and an access level. The profile name is the name of the resource or transaction that the policy applies to. The profile type is the same as the resource type, such as FILE, PROGRAM, TRANSID, or WEBSERVICE. The profile class is the same as the resource class, such as VSAM, COBOL, or SOAP. The access level is the degree of access that the policy grants to the user or group, such as READ, UPDATE, EXECUTE, or CONTROL.

6 CICS security enforcement

CICS security enforcement is the process of verifying and granting access rights of CICS users to CICS resources or transactions. CICS security enforcement occurs at two levels: sign-on and resource access. At sign-on level, CICS verifies the user ID and password of the user and assigns a security context to the user session. At resource access level, CICS checks the security context of the user against the security policy of the resource or transaction and either allows or denies access. You can also use the security exit to modify or bypass the default security enforcement for specific resources or transactions.

7 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?