You can secure resources for applications that are deployed on platforms by creating RACF® security profiles for CICSPlex® SM to cover platforms and applications in a CICSplex.
Security for platforms and applications is set up in a similar way to security for other CICSPlex SM components. You control access to a specific set of views (and their associated action commands) by identifying the set in a security profile. With these security profiles, you can give users authority to install, enable or disable, make available or unavailable, inquire on, or discard platforms and applications, and ensure that unauthorized users cannot create and administer these resources.
When you give a user authority to perform an action on a platform or application, you also give them authority to perform the same action on the dynamically generated resources for the platform or application. For example, a user who has authority to enable an application also has authority to enable the CICS® bundles for the application that were installed in CICS regions in all the platforms in the CICSplex. CICS command and resource security checks, and simulated CICS security checking in CICSPlex SM, are not carried out when you operate on CICS bundles through an application or platform.
Users with UPDATE access for this security profile can create, update, and remove definitions for platforms and applications in the CICSPlex SM data repository. Users with READ access can view those definitions in the CICSPlex SM data repository.
Users with ALTER access for this security profile can install platforms in the CICSplex and discard them. (To install a platform, users also need READ access for the CLOUD.DEF profile that covers the PLATDEF resource.) Users with UPDATE access can enable and disable platforms. Users with UPDATE access can also add CICS regions to region types in the platform and remove CICS regions from region types in the platform. Users with READ access can view PLATFORM resources and MGMTPART resources. These permissions apply for all platforms that exist in the CICSplex.
Users with ALTER access for this security profile can install applications in the CICSplex and discard them. (To install an application, users also need READ access for the CLOUD.DEF profile that covers the APPLDEF resource.) Users with UPDATE access can enable and disable applications and make them available or unavailable. Users with READ access can view APPLCTN resources. These permissions apply for all applications in all platforms that exist in the CICSplex. If you require different security permissions for certain applications, use a different CICSplex to host the platform where you deploy the application.
Although the CLOUD security profiles cover actions on the dynamically generated resources for the platform or application, users may still carry out a limited set of actions directly on individual resources in the CICS regions where they are installed. CICS command and resource security checks, and simulated CICS security checking in CICSPlex SM, do apply when you perform an action directly on an individual CICS bundle, or a resource defined in a CICS bundle, that was created when you installed a platform or application.
If you apply security measures to individual PROGRAM resources, for applications that are deployed on platforms, secure the programs that are declared as application entry points, but do not secure other programs in the applications. The security settings that you specify for a program that is part of an application deployed on a platform apply to both public and private programs, and do not take into account the version of the application. Programs that are declared as an application entry point must have a unique PROGRAM resource name in your environment. However, if you secure programs that run at a lower level in the application, programs with the same names might be running in different applications, which can lead to unforeseen consequences. In this situation, a user might have permission to access a program that is declared as an application entry point, but not have permission to access a program that runs at a lower level in the application, because the security settings from another instance of the program name are in effect. Consider the security measures that you apply to a program that is declared as an application entry point program, as applying to the whole application.
If you used CICS bundles in earlier CICS releases, check the security permissions that you gave to users for those bundles. Depending on the way in which you set up security for CICS bundles, users with authority to take actions on individual CICS bundles might now be able to act on resources that are dynamically created as part of the installation of a bundle. Ensure that the levels of authority for BUNDLE resources are still appropriate.