Granting access to the plans and tables

The CICS® system programmer and the DB2® administrator must decide how to control access to the CICS IA plan and the CIU tables. There are two options.

About this task

Read this information with the CICS DB2 Guide.

Option 1
CICS IA uses the DYNAMICRULES(BIND) option on the BIND PLAN command in CIUDBNB. This option is recommended for the following reasons:
  • How security works is the same for both dynamic and static SQL.
  • If you grant permissions by issuing one or more GRANT EXECUTE ON PLAN CICSIA TO _xxxx_ commands, all of the security checks are done at the plan level. This option is simple to administer and offers good performance.
  • If, typically, the _xxxx_ in the GRANT EXECUTE command specifies a RACF® group rather than a single RACF user ID, to add new users you connect the users to the RACF group.
The sample installation jobs CIUDBNB are configured to issue GRANT EXECUTE commands for the appropriate plans. These commands are issued against a RACF group.
  1. Select your RACF group. The RACF group can be selected at configuration time.
  2. Change _racfgrp_ to your chosen RACF group.
  3. Ensure that all CIU users are connected to your chosen RACF group, with RACF "list of groups" active in the system.
  4. Enable secondary authorization in DB2. See the DB2 installation job DSNTIJEX.
    Note:
    1. Review DSNTIJEX job with your DB2 administrator.
    2. For a full understanding of the implications of DYNAMICRULES(BIND), see the description of the BIND COMMAND in the DB2 Commands manual.
    3. See also the section on DB2 security in the CICS RACF Security Guide.
    4. Review this job with your DB2 administrator.
Option 2
Grant all CIU users access to the tables explicitly. This option is not recommended because you must do this every time you give access to a new user.
To use this option:
  1. In the sample jobs CIUDBNB and CIUDBNT, on the BIND PLAN command change the DYNAMICRULES option from DYNAMICRULES(BIND) to DYNAMICRULES(RUN).
  2. In hlq.SCIUSQL.OUT(CIUGRNTC), change the sample GRANT commands to GRANT EXECUTE on the CICSIA plan and GRANT SELECT, GRANT UPDATE, GRANT INSERT, GRANT DELETE, and any other GRANT commands, on the CIU tables.
  3. If the GRANT permissions are made to a RACF group, note these requirements:
    1. Ensure that all CIU users are connected to that RACF group.
    2. Enable secondary authorization in DB2. See the DB2 install job DSNTIJEX for more information if required.

The Query interface uses dynamic SQL to access the CIU_CICS_DATA, CIU_DB2_DATA, CIU_MQ_DATA, and CIU_IMS_DATA tables. For guidance on using dynamic SQL with CICS, refer to the CICS DB2 Guide for your CICS release.

The delivered SQL is constructed and sized for a default application. You must tailor the sizings for PRIQTY and SECQTY in the index creation batch job to suit your requirements. If you create a new query, you must evaluate the query to ensure that the existing indexing supports the query. If the existing indexing does not support the query, you must construct more indexes. Contact your database administrator if you require assistance.

Parent topic: DB2 considerations