IBM Security zSecure, Version 2.2.0

Command interface

CICS® systems programmers can use the command interface to run certain RACF® commands directly from CICS instead of TSO. The command interface provides greater distribution of certain capabilities and responsibilities to CICS users. It eliminates the need to use the TSO application and reduces CPU overhead.

When you use the command interface for searches:

You can use more extensive search masks to retrieve information about profiles.
You have greater flexibility in the criteria that are used.

Note: zSecure™ CICS Toolkit uses a different concept for enabling the user authority to run commands or portions of them. For example, with GROUPSPECIAL, a user without any more authority can reset a user password or resume the user. This user does not require GROUPSPECIAL and does not have to be connected to the group of the user that is being reset.uses a different concept for enabling the user authority to run commands or portions of them. For example, a user can be permitted to reset the password of another user and/or resume a user without having the authority to do anything else that might be implied by having GROUPSPECIAL authority. The user does not require the GROUPSPECIAL attribute and does not need to be connected to the group of the user that is being reset.

Note: zSecure CICS Toolkit uses a different concept for enabling the user authority to run commands or portions of them. For example, a user can be permitted to reset the password of another user and/or resume a user without needing the broader authority to perform other tasks that are available through GROUPSPECIAL authority. The user does not require the GROUPSPECIAL attribute and does not need to be connected to the group of the user that is being reset.

Under this methodology, the responsibility of resetting user passwords can be decentralized to any other area where there is access to a CICS terminal. Data Security personnel can then use their time and efforts in other areas.

RACF protects both the transaction that is used to start zSecure CICS Toolkit for the command interface and the commands themselves. Even if there is no security on the zSecure CICS Toolkit transaction, the user must be permitted to the commands in RACF to start them. A user must also be permitted to have the authority to reset user IDs. The only exception is a user with the SPECIAL attribute or a user with access to the TOOLKIT.SPEC definition. For information about this definition, see zSecure CICS Toolkit installation.

All changes to RACF profiles produce SMF records.

Feedback