You can secure resources for applications that are deployed on platforms by creating RACF® security profiles for CICSPlex® SM to cover platforms and applications in a CICSplex.
Security for platforms and applications
is set up in a similar way to security for other CICSPlex SM components. You control access
to a specific set of views (and their associated action commands)
by identifying the set in a security profile. With these security
profiles, you can give users authority to install, enable or disable, 
make available or unavailable,
inquire on, or discard
platforms and applications, and ensure that unauthorized users cannot
create and administer these resources.
When you give a user authority to perform an action on a platform or application, you also give them authority to perform the same action on the dynamically generated resources for the platform or application. For example, a user who has authority to enable an application also has authority to enable the CICS® bundles for the application that were installed in CICS regions in all the platforms in the CICSplex. CICS command and resource security checks, and simulated CICS security checking in CICSPlex SM, are not carried out when you operate on CICS bundles through an application or platform.
- CLOUD.DEF.context
- This security profile covers the PLATDEF and APPLDEF resource
tables, which contain the definitions for platforms and applications. context is the specific or generic name of the CICSplex
that is covered by the security profile.
Users with UPDATE access for this security profile can create, update, and remove definitions for platforms and applications in the CICSPlex SM data repository. Users with READ access can view those definitions in the CICSPlex SM data repository.
- CLOUD.PLATFORM.context
- This security profile covers the installation of PLATDEF resources
and operations on PLATFORM resources. It also allows users to view
management parts (MGMTPART resources). context is
the specific or generic name of the CICSplex that is covered by the
security profile.
Users with ALTER access for this security profile can install platforms in the CICSplex and discard them. (To install a platform, users also need READ access for the CLOUD.DEF profile that covers the PLATDEF resource.) Users with UPDATE access can enable and disable platforms. Users with UPDATE access can also add CICS regions to region types in the platform and remove CICS regions from region types in the platform. Users with READ access can view PLATFORM resources and MGMTPART resources. These permissions apply for all platforms that exist in the CICSplex.
- CLOUD.APPLICATION.context
- This security profile covers the installation of APPLDEF resources
and operations on APPLCTN resources. context is
the specific or generic name of the CICSplex that is covered by the
security profile.
Users with ALTER access for this security profile can install applications in the CICSplex and discard them. (To install an application, users also need READ access for the CLOUD.DEF profile that covers the APPLDEF resource.)
Users with UPDATE
access can enable and disable applications and make them available
or unavailable. Users with READ access can view APPLCTN resources.
These permissions apply for all applications in all platforms that
exist in the CICSplex. If you require different security permissions
for certain applications, use a different CICSplex to host the platform
where you deploy the application.
Although the CLOUD security profiles cover actions on the dynamically generated resources for the platform or application, users may still carry out a limited set of actions directly on individual resources in the CICS regions where they are installed. CICS command and resource security checks, and simulated CICS security checking in CICSPlex SM, do apply when you perform an action directly on an individual CICS bundle, or a resource defined in a CICS bundle, that was created when you installed a platform or application.
If you apply security measures
to individual PROGRAM resources, for applications that are deployed on
platforms, secure the programs that are declared as application entry
points, but do not secure other programs in the applications. The
security settings that you specify for a program that is part of an
application deployed on a platform apply to both public and private
programs, and do not take into account the version of the application.
Programs that are declared as an application entry point must have
a unique PROGRAM resource name in your environment. However, if you
secure programs that run at a lower level in the application, programs
with the same names might be running in different applications, which
can lead to unforeseen consequences. In this situation, a user might
have permission to access a program that is declared as an application
entry point, but not have permission to access a program that runs
at a lower level in the application, because the security settings
from another instance of the program name are in effect. Consider
the security measures that you apply to a program that is declared
as an application entry point program, as applying to the whole application.
If you used CICS bundles in earlier CICS releases, check the security permissions that you gave to users for those bundles. Depending on the way in which you set up security for CICS bundles, users with authority to take actions on individual CICS bundles might now be able to act on resources that are dynamically created as part of the installation of a bundle. Ensure that the levels of authority for BUNDLE resources are still appropriate.
