How to restrict the access of running my cics program
https://stackoverflow.com/questions/10321743
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a cics application and i don't want to develop an login screen, instead i want to restrict the access by fetching the user id and then to verify if they are allowed to run my application. Is this possible? Thank you
Solution
There are probably better ways of restricting access to certain transactions within a CICS environment than by grabbing the USER ID and comparing to a list. Most shops have developed standard techniques for restricting access to transactions within CICS. However, if you must find the User Id, try something like this:
EXEC CICS ASSIGN
USERID(WS-USERID)
END-EXEC.
where WS-USERID is a working storage PIC X(8) field.
This is a link to the documentation for CICS ASSIGN.
EDIT
How to check against multiple user ids? You need a list of authorized users to compare the current user id against. If the user id is in the list, the user is authorized to use the transaction. Typically you have a couple options for managing such a list:
- SELECT against a database table containing authorized user ids. Use the current user id as the predicate (eg. WHERE USER_ID = :WS-USERID). If you get a row back, the user is authorized.
- SEARCH/SEARCH ALL a WORKING-STORAGE table populated with authorized user ids for a match. If you get a match, the user is authorized.
The WORKING-STORAGE table solution is the least flexible since the program may need to be updated and re-compiled each time a new user is added or removed.
However, as pointed out by myself and cschneid, access security is best handled outside of applicaion programs using something like RACF or ACF2. Your local systems administration should be able to help you get this set up.
OTHER TIPS
CICS can talk to an external security manager, such as RACF, CA-ACF2, or CA-Top Secret. Applications are often secured at a transaction level by having the correct rules or profiles in place in the external security manager.
This way, security actions are performed external to the application logic. Access is granted by security personnel and not by an application developer.
To follow on to your comment to NealB's answer regarding multiple users: Your security administrators can add all of the userids in question to a group, and then define access permissions to that group for your transaction.
You really should let your security administration handle transaction access. Good system design puts security management outside of the application.
With CICS TS V4.2 and above with the Security Extensions Feature Pack (integrated in V5.2) you can use SAML assertions coming from distributed applications to provide even more granular access control.
