Kevin,
The cancel, kill, etc. actions from CTASKS are performed using the CICSSET command. The security error you are getting says you don't have access to the CICSSET command (in the Commands section of your user group).
SECU005E KK$240 not authorized for CICSSET commandOnce you allow that then I'd expect you'll get the following error trying to do a Kill (or any other action) in your test region. In the CICSJOBN resource you listed CICSAB02 as AM, which allows it to show up on the display, but in the Actions field you need to list the actions you want to
allow (a blank list of Actions means none of them are authorized). The user group GLOBAL has all actions listed for all resources, so you can view that to see a quick list of available Actions.
SECU008E Command not authorized for CICSJOBN CICSAB02
If you made the security updates on the same lpar as where you are doing your testing, then there is no need to do F SYSVIEW,RELOAD SECURITY. This reload is only needed if you are sharing the security file across systems, it will cause the other systems to be reloaded.
Regardless, after you make a security update you must exit the SECURITY command, at which point the changes are saved to the CNM4BSEC file, then any user affected by those changes must exit SYSVIEW and log in again to pick up the changes. I suspect you may not have done that in your test above, which would explain why CICSAB20 still showed up.
Check those items out, and if you still have a question/problem I suggest opening a support case to pursue further.
------------------------------
Regards,
Doug Miller
Software Engineer
Broadcom
------------------------------
Original Message:
Sent: 10-26-2020 08:39 AM
From: Kevin Kinney
Subject: Sysview CICS security
You're right. I wasn't specific enough. My original attempt was to deny access to all CICS regions so I could verify whether they show up on CICSLIST. They do, leading me to believe I've got something wrong.
This attempt is more to the point. Allow CTASK KILL to test regions; CICSxx02. Deny CTASK KILL access to prod regions; CICSxx20.
- Security
- User Groups
- XYZZY Group
- Resource Section
- CICSJOBN
- Add CICSAB02 AM (test)
- Add CICSAB20 FM (prod)
- Add my id to XYZZY grouip
- Remove my id from Admin group
- F SYSVIEW,RELOAD SECURITY
- CICS CICSAB20 (prod)
- CTASK
- KILL/YES on a CEMT task I am a running
- SECU005E KK$240 not authorized for CICSSET command This is expected.
- CICS CICSAB02 (test)
- CTASK
- KILL/YES on a CEMT task I am a running
- SECU005E KK$240 not authorized for CICSSET command This is NOT expected.
Since CICSAB20 is specified as forbid, why can I still see it in CICSLIST?
Why can transactions not be killed on CICSAB02?
Original Message:
Sent: 10-26-2020 04:36 AM
From: Hennie Hermans
Subject: Sysview CICS security
Hi Kevin,
Please could you be a bit more specific on the KILL transaction restriction question... What did you specify where in CA Sysview...
Also, the equal sign is possible a masking character.. Keep this in mind.. Do you want to restrict the transaction in all the CICS regions starting with CICS, or starting with 'CICS=' ?
You also mentioned, i see all the CICS regions beginning with 'CICS='.. Where do you see them.. Let us know..
Best regards
Hennie Hermans
------------------------------
Principal Support Engineer
CA Technologies, A Broadcom Company
Original Message:
Sent: 10-22-2020 03:15 PM
From: Kevin Kinney
Subject: Sysview CICS security
I'm working to restrict transaction KILL in prod CICS regions. I've hit the books and started.
I started simple and didn't get far. I defined "CICS=" under 'Jobnames Section' with forbid on all fields. If I read correctly, this means I should not see any CICS regions beginning with "CICS=",
I see all CICS regions beginning with "CICS=".
Why?