Securing the Enhanced 3270 User Interface with RACF
There are a variety of ways that you can secure the enhanced 3270 User Interface with RACF. you can control who can logon to the E3270UI, which managed systems and data they can see and which TAKE ACTION commands they can issue.
You enable RACF security by coding the RTE_SECURITY_CLASS=RACF_classname in the PARMGEN Run Time Environment (RTE) member. If you code RTE_SECURITY_CLASS=OMEGDEMO then only userid validation (of the userid and password) takes place at E3270UI logon time and no other security checking is done. This can be useful for proof of concept installs to minimize the work needed to bring the system up initially.
Within the specified RACF resource class, the following profiles control various aspects of the users experience:
- KOB.LOGON – Read access to this profile allow the user to logon to the E3270UI
- Kproduct_code.managed_system_name.table – Read access to these profiles control a users ability to view data.
- product_code is CP for CICS, M5 for z/OS
- managed_system_name (or originnode) is the fully qualified name of the managed system.
- For CICS, the managed system name of a CICS region is of the form padded_smfid.cicsname where padded_smfid is the smfid of the host system, padded with trailing underscores if less than 4 characters long and cicsname is the job, started task or modify name of the CICS region.The managed system name of a CICSPLEX is of the form cicsplex_name::CICSPLEX.
- For z/OS, the managed system name of an LPAR is of the form plexname:smfid:MVSSYS and the managed system name of the sysplex is of the form plexname:MVS:SYSPLEX
- table is the name of the attribute table, E.G. CICSROV for the CICS Region Overview. You can view the queries within each workspace in the TKANWENU library to see which tables it queries.
- Kproduct_code.managed_system_name.TAKEACTION – UPDATE access to these profiles control the users ability to issue take action commands.
A basic set of RACF profiles for the CICS and z/OS products might look like this:
KCP.**.TAKEACTION* (G) UACC(NONE)
KM5.**.TAKEACTION* (G) UACC(NONE)
KOB.LOGON.** (G) UACC(NONE)
KM5.** (G) UACC(READ)
KCP.** (G) UACC(READ)
Giving user access to the KOB.LOGON profile would allow them to logon to the E3270UI and the KM5.** and KCP.** profiels with UACC(READ) would allow them to see data for the CICS and M5 products. Only users with UPDATE authority to the KM5.**.TAKEACTION* and KCP.**.TAKEACTION* profiles would be able to issue take action commands.