CA SYSVIEW Performance Management

Expand all | Collapse all

Sysview CICS security

  • 1.  Sysview CICS security

    Posted 10-23-2020 01:23 PM
    I'm working to restrict transaction KILL in prod CICS regions.  I've hit the books and started.

    I started simple and didn't get far.  I defined "CICS=" under 'Jobnames Section' with forbid on all fields.  If I read correctly, this means I should not see any CICS regions beginning with "CICS=",
    I see all CICS regions beginning with "CICS=".


  • 2.  RE: Sysview CICS security

    Broadcom Employee
    Posted 10-26-2020 04:36 AM

    Hi Kevin,

    Please could you be a bit more specific on the KILL transaction restriction question... What did you specify where in CA Sysview...

    Also, the equal sign is possible a masking character.. Keep this in mind.. Do you want to restrict the transaction in all the CICS regions starting with CICS, or starting with 'CICS=' ?
    You also mentioned, i see all the CICS regions beginning with 'CICS='.. Where do you see them.. Let us know..

    Best regards
    Hennie Hermans

    Principal Support Engineer
    CA Technologies, A Broadcom Company

  • 3.  RE: Sysview CICS security

    Posted 10-26-2020 08:39 AM
    You're right. I wasn't specific enough. My original attempt was to deny access to all CICS regions so I could verify whether they show up on CICSLIST. They do, leading me to believe I've got something wrong.

    This attempt is more to the point. Allow CTASK KILL to test regions; CICSxx02. Deny CTASK KILL access to prod regions; CICSxx20.

    • Security
    • User Groups
    • XYZZY Group
    • Resource Section
    • Add CICSAB02 AM (test)
    • Add CICSAB20 FM (prod)
    • Add my id to XYZZY grouip
    • Remove my id from Admin group
    • CICS CICSAB20 (prod)
    • CTASK
    • KILL/YES on a CEMT task I am a running
    • SECU005E KK$240 not authorized for CICSSET command This is expected.
    • CICS CICSAB02 (test)
    • CTASK
    • KILL/YES on a CEMT task I am a running
    • SECU005E KK$240 not authorized for CICSSET command This is NOT expected.
    Since CICSAB20 is specified as forbid, why can I still see it in CICSLIST?
    Why can transactions not be killed on CICSAB02?

  • 4.  RE: Sysview CICS security

    Broadcom Employee
    Posted 11 days ago
    The cancel, kill, etc. actions from CTASKS are performed using the CICSSET command.  The security error you are getting says you don't have access to the CICSSET command (in the Commands section of your user group).

    SECU005E KK$240 not authorized for CICSSET command

    Once you allow that then I'd expect you'll get the following error trying to do a Kill (or any other action) in your test region.  In the CICSJOBN resource you listed CICSAB02 as AM, which allows it to show up on the display, but in the Actions field you need to list the actions you want to allow (a blank list of Actions means none of them are authorized).  The user group GLOBAL has all actions listed for all resources, so you can view that to see a quick list of available Actions.

    SECU008E Command not authorized for CICSJOBN CICSAB02

    If you made the security updates on the same lpar as where you are doing your testing, then there is no need to do F SYSVIEW,RELOAD SECURITY.  This reload is only needed if you are sharing the security file across systems, it will cause the other systems to be reloaded.
    Regardless, after you make a security update you must exit the SECURITY command, at which point the changes are saved to the CNM4BSEC file, then any user affected by those changes must exit SYSVIEW and log in again to pick up the changes.  I suspect you may not have done that in your test above, which would explain why CICSAB20 still showed up.

    Check those items out, and if you still have a question/problem I suggest opening a support case to pursue further.

    Doug Miller
    Software Engineer