Controlling ZDT/CICS processing

Z Data Tools has the ability to read, modify and change the status of CICS® resources. If the resources are not protected in the CICS environment then there might be a requirement to control what functions Z Data Tools for CICS users can perform.

If Security Server, RACF® 1.9 (or later) or an equivalent security product is active, the System Authorization Facility (SAF) with the Z Data Tools enhanced security facility is used for access control and authorization verification. Authorization is controlled by Z Data Tools-specific profiles in the FACILITY and XFACILIT class as follows.

Activating ZDT/CICS resource checking

The following facility class profile is used to determine whether Z Data Tools checks access for any given CICS resource.

FILEM.CICS.RESOURCE

Here is an example of activating ZDT/CICS resource checking.

RDEF FACILITY FILEM.CICS.RESOURCE AUDIT(NONE)      +
        UACC(READ) OWNER(TYRONED)
SETROPTS RACLIST(FACILITY) REFRESH

If this profile has been defined and the user has an access of read or more then ZDT/CICS perform resource security checking using the XFACILIT class profiles described below.

Defining access to CICS resources

Define XFACILIT class profiles in the form:

FILEM.sysplex_name.cics_applid.resource_type.resource_name

Where

sysplex_name
The z/OS® sysplex name.
cics_applid
The CICS VTAM® application id for the CICS region
resource_type
One of these values:
FILE
CICS files
TD
CICS transient data queues
TS
CICS temporary storage queues
ENQ
CICS enqueue resource name
resource_name
The CICS file name, transient data queue name or temporary storage queue name. This level doesn't apply to the resource type ENQ.

Z Data Tools checks the level of access as follows to determine what functions can be performed.

READ
This allows read only functions like browse, print and view to run. The user is not allowed to modify a CICS resource.
UPDATE
This allows update functions like edit, data create, copy to, and the ability to delete TS queues and empty TD queues from the resource list displays.
CONTROL
This allows CICS SET function processing to change the status of a resource and the ability to purge tasks with outstanding enqueues for the XFACILIT class with resource_type ENQ. If the user does not have CONTROL access then the status fields that were modifiable on the resource list panels are protected for resources they are not allowed to modify.
Note: If the XFACILIT class for CICS files has been defined and the user is performing a Z Data Tools function that can read or update the data set, then an additional check is performed to validate whether the user has the required level of access to the data set name associated with the CICS file.

Examples for RACF definitions

Case 1. Ensure all files on CICSDEV can only be accessed read

RDEF XFACILIT FILEM.SYSPLEXA.CICSDEV.FILE.**  AUDIT(NONE) +
               UACC(READ) OWNER(userid)

Case 2. Ensure all CICS resources on CICSDEV can only be accessed read

RDEF XFACILIT FILEM.SYSPLEXA.CICSDEV.**  AUDIT(NONE)   +
               UACC(READ) OWNER(userid)

Case 3. Allow update against all CICS resources on CICSDEV and allow SET processing to the systems programmer userid

RDEF XFACILIT FILEM.SYSPLEXA.CICSDEV.**  AUDIT(NONE)  +
               UACC(UPDATE) OWNER(userid)

PE FILEM.SYSPLEXA.CICSDEV.**  +
         CLASS(XFACILIT) ID(sysprog) ACC(CONTROL)

Case 4. Allow a specific user full access to FILE names beginning with FM

RDEF XFACILIT FILEM.SYSPLEXA.CICSDEV.FILE.FM* AUDIT(NONE) +
               UACC(NONE) OWNER(TYRONED)
PE FILEM.SYSPLEXA.CICSDEV.FILE.FM* +
         CLASS(XFACILIT) ID(fmuser1) ACC(CONTROL)