[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: CICSCMD activation
From:       Homer Monts <hmonts () BELLSOUTH ! NET>
Date:       2015-07-30 4:40:28
Message-ID: 55B9AABC.5090104 () bellsouth ! net
[Download RAW message or body]

Thanks Bob,

Great information. This will be very helpful during our implementation.

Homer

On 7/29/2015 7:07 AM, Robert S. Hansel (RSH) wrote:
> Hi Homer,
> 
> Here are a few thoughts.
> 
> Be aware that if no profile is found for a command, access is denied. Define \
> profiles in advance and have a catch-all to temporarily grant access during testing \
> to anything you missed. 
> Give some consideration as to how the SIT parm CMDSEC is to be set. If set to \
> ALWAYS, all command use is checked. Even the CICS region itself will need to be \
> permitted access in some cases. If set of ASIS (the default), command use is only \
> checked when the transaction is configured with CMDSEC(YES). The CICS supplied \
> transactions with CMDSEC(YES) are CECI, CEDF, CEMT, CEST, and CIRP. 
> If the target object (e.g., FILE PAYMSTR) also happens to be a type of resource \
> protected by another RACF class (e.g., FCICSFCT) and RESSEC is active, another RACF \
> check is made for access to the target object in its own class and at the same \
> level of access needed for the command (e.g., ALTER to FCICSFCT PAYMSTR to perform \
> DISCARD). The same transactions mentioned above also have RESSEC(YES). 
> Your CICS systems programmers may have changed the definitions of these \
> transactions so that they no longer have CMDSEC or RESSEC set to YES. I recommend \
> you become familiar with the use of the DFHCSDUP utility to list all your \
> transactions and their respective CMDSEC and RESSEC settings. I advise you to check \
> these settings on all your transactions before your proceed to see which ones will \
> be affected. You may find it helpful to do what we have done which is to write a \
> REXX program to parse the report to pull out all the necessary information. 
> Activating CMDSEC requires specifying XCMD=YES or =suffix in your SIT parms. You'll \
> need to restart CICS to activate it. 
> Regards, Bob
> 
> Robert S. Hansel
> Lead RACF Specialist
> RSH Consulting, Inc.
> 617-969-8211
> www.linkedin.com/in/roberthansel
> http://twitter.com/RSH_RACF
> www.rshconsulting.com
> -----------------------------------------------------------------------
> 2015 RACF Training
> - Securing z/OS UNIX  - WebEx - SEPT 22-25, 2015
> - Audit & Compliance Roadmap - Boston - NOV 10-13, 2015
> - Intro & Basic Admin - WebEx - DEC 7-11, 2015
> -----------------------------------------------------------------------
> 
> -----Original Message-----
> Date:    Tue, 28 Jul 2015 20:37:45 -0400
> From:    Homer Monts <hmonts@BELLSOUTH.NET>
> Subject: CICSCMD activation
> 
> We are in the process of researching the activation of the CICSCMD class in our \
> shop. We are looking for any potential 'gotchas' that we may encounter during \
> implementation. If anyone who has implemented this class can offer any insight it \
> would be greatly appreciated. 
> Homer
> 


[prev in list] [next in list] [prev in thread] [next in thread]