Home > E3270UI, ITM > Securing the Enhanced 3270 User Interface with RACF

Securing the Enhanced 3270 User Interface with RACF

There are a variety of ways that you can secure the enhanced 3270 User Interface with RACF. you can control who can logon to the E3270UI, which managed systems and data they can see and which TAKE ACTION commands they can issue.

You enable RACF security by coding the RTE_SECURITY_CLASS=RACF_classname in the PARMGEN Run Time Environment (RTE) member. If you code RTE_SECURITY_CLASS=OMEGDEMO then only userid validation (of the userid and password) takes place at E3270UI logon time and no other security checking is done. This can be useful for proof of concept installs to minimize the work needed to bring the system up initially.

Within the specified RACF resource  class, the following profiles control various aspects of the users experience:

  • KOB.LOGON – Read access to this profile allow the user to logon to the E3270UI
  • Kproduct_code.managed_system_name.table – Read access to these profiles control a users ability to view data.
  • product_code is CP for CICS, M5 for z/OS
  • managed_system_name (or originnode) is the fully qualified name of the managed system.
  • For CICS, the managed system name of a CICS region is of the form padded_smfid.cicsname where padded_smfid is the smfid of the host system, padded with trailing underscores if less than 4 characters long and cicsname is the job, started task or modify name of the CICS region.The managed system name of a CICSPLEX is of the form cicsplex_name::CICSPLEX.
  • For z/OS, the managed system name of an LPAR is of the form plexname:smfid:MVSSYS and the managed system name of the sysplex is of the form plexname:MVS:SYSPLEX
  • table is the name of the attribute table, E.G. CICSROV for the CICS Region Overview. You can view the queries within each workspace in the TKANWENU library to see which tables it queries.
  • Kproduct_code.managed_system_name.TAKEACTION – UPDATE access to these profiles control the users ability to issue take action commands.

A basic set of RACF profiles for the CICS and z/OS products might look like this:

KCP.**.TAKEACTION* (G) UACC(NONE)
KM5.**.TAKEACTION* (G) UACC(NONE)
KOB.LOGON.** (G)  UACC(NONE)
KM5.** (G) UACC(READ)
KCP.** (G) UACC(READ)

Giving user access to the KOB.LOGON profile would allow them to logon to the E3270UI and the KM5.** and KCP.** profiels with UACC(READ) would allow them to see data for the CICS and M5 products. Only users with UPDATE authority to the KM5.**.TAKEACTION* and KCP.**.TAKEACTION* profiles would be able to issue take action commands.

Advertisements
Categories: E3270UI, ITM
  1. Rich Russ
    November 5, 2013 at 9:09 pm

    Specific to OMEGAMON XE for CICS with E3270UI, I’m looking to map the OMEGAVIEW security table (creates KOCCMX00 for the various commands w levels) to write E3270UI-related RACF resource class definition. I have found only a subset of TAKEACTION definitions in the CICS 5.1 Planning and Config Guide, Appendix A. Ex: The value is the queuename in character form, for the TDDL (TDQ DELETE) Take Action command:
    – KCP.smfid.cicsname.TAKEACTION.DELETE.TDQ.queuename
    – KCP.smfid.cicsname.TAKEACTION.DELETE.TDQ.*

    Is there a list documented that gives granularity of the various commands beyond the TAKEACTION qualifier?

  1. October 16, 2013 at 3:06 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: