Different authorities in different regions
Either
by defining separate RACF classes for each differing environment (e.g. clones of GCICSTRN and TCICSTRN etc)
Or
by specifying SECPRFX=YES in the SIT - the CICS userid is then prefixed to the resource
Adding new resource classes to the class descriptor table
The RACF class descriptor table has a system-defined part, and an installation-defined part named ICHRRCDE. You add new resource classes to ICHRRCDE by coding the ICHERCDE macro. For example, to add to the CDT a new class $FILEREC, and a corresponding (optional) group class $GILEREC, add the following macros to ICHRRCDE:
$FILEREC ICHERCDE CLASS=$FILEREC, *
GROUP=$GILEREC, *
ID=192, *
MAXLNTH=17, *
RACLIST=ALLOWED, *
FIRST=ALPHANUM, *
OTHER=ANY, *
POSIT=42, *
OPER=NO, *
DFTUACC=NONE
$GILEREC ICHERCDE CLASS=$GILEREC, *
MEMBER=$FILEREC, *
ID=191, *
MAXLNTH=17, *
FIRST=ALPHANUM, *
OTHER=ANY, *
POSIT=42, *
OPER=NO, *
DFTUACC=NONE
Add the same classes to the RACF router table, ICHRFR01, by coding the ICHRFRTB macro:
ICHRFRTB CLASS=$FILEREC,ACTION=RACF
ICHRFRTB CLASS=$GILEREC,ACTION=RACF
When you have recreated the two modules ICHRRCDE and ICHRFR01, re-IPL your MVS system to bring them into use.
Activating the user-defined resource classes
Once you have installed the new classes in your system, it is necessary to activate them in RACF before they can be used. This has to be done by a user with system-SPECIAL authority, who enters the following
commands under TSO:
SETROPTS CLASSACT($FILEREC)
SETROPTS GENERIC($FILEREC)
To improve the performance of QUERY SECURITY, you should load the new resource profiles into virtual storage by using the RACLIST option. The RACLIST option is required if you are using the group class, because the connection between the group class and the entity class is resolved by RACLIST:
SETROPTS RACLIST($FILEREC)
You need to issue the SETROPTS commands for the entity class $FILEREC, because the group class $GILEREC has the same POSIT number.
0 comments on CICS security considerations