The CICS® system
programmer and the DB2® administrator
must decide how to control access to the CICS IA plan and the CIU tables. There are two
options.
About this task
Read this information with the CICS DB2 Guide.
- Option 1
CICS IA uses the DYNAMICRULES(BIND)
option on the BIND PLAN command in CIUDBNB. This option is recommended
for the following reasons:
- How security works is the same for both dynamic and static SQL.
- If you grant permissions by issuing one or more GRANT
EXECUTE ON PLAN CICSIA TO _xxxx_ commands, all of the security
checks are done at the plan level. This option is simple to administer
and offers good performance.
- If, typically, the _xxxx_ in the GRANT
EXECUTE command specifies a RACF® group
rather than a single RACF user
ID, to add new users you connect the users to the RACF group.
The sample installation jobs CIUDBNB are configured to
issue
GRANT EXECUTE commands for the appropriate
plans. These commands are issued against a RACF group.
- Select your RACF group.
The RACF group can be selected
at configuration time.
- Change _racfgrp_ to your chosen RACF group.
- Ensure that all CIU users are connected to your chosen RACF group, with RACF "list of groups" active in the system.
- Enable secondary authorization in DB2.
See the DB2 installation job
DSNTIJEX.
Note: - Review DSNTIJEX job with your DB2 administrator.
- For a full understanding of the implications of DYNAMICRULES(BIND),
see the description of the BIND COMMAND in the DB2 Commands manual.
- See also the section on DB2 security
in the CICS RACF Security Guide.
- Review this job with your DB2 administrator.
- Option 2
- Grant all CIU users access to the tables explicitly. This option
is not recommended because you must do this every time you give access
to a new user.
To use this option:
- In the sample jobs CIUDBNB and CIUDBNT, on the BIND
PLAN command change the DYNAMICRULES option from DYNAMICRULES(BIND)
to DYNAMICRULES(RUN).
- In hlq.SCIUSQL.OUT(CIUGRNTC), change the sample GRANT commands
to GRANT EXECUTE on the CICSIA plan and GRANT
SELECT, GRANT UPDATE, GRANT INSERT, GRANT DELETE, and any
other GRANT commands, on the CIU tables.
- If the GRANT permissions are made to a RACF group, note these requirements:
- Ensure that all CIU users are connected to that RACF group.
- Enable secondary authorization in DB2.
See the DB2 install job DSNTIJEX
for more information if required.
The Query interface uses
dynamic SQL to access the CIU_CICS_DATA, CIU_DB2_DATA, CIU_MQ_DATA,
and CIU_IMS_DATA tables. For guidance on using dynamic SQL with CICS, refer to the CICS DB2 Guide for
your CICS release.
The
delivered SQL is constructed and sized for a default application.
You must tailor the sizings for PRIQTY and SECQTY in the index creation
batch job to suit your requirements. If you create a new query, you
must evaluate the query to ensure that the existing indexing supports
the query. If the existing indexing does not support the query, you
must construct more indexes. Contact your database administrator if
you require assistance.