Security in z/VSE is provided by the Basic Security Manager (BSM) or by security products from Independent Software Vendors (ISVs). The BSM is part of z/VSE and provides basic functionality. Customers who need more functionality (e.g., field-level security, command security) may choose an ISV product instead of the BSM. With z/VSE V3.1.1, the BSM was enhanced to support additional resources and new functions. This article offers a short overview about the changes in the BSM.
Support of CICS RSL Resources
With VSE/ESA V2.4, CICS/VSE was replaced by CICS Transaction Server for VSE/ESA (CICS TS). Unlike CICS/VSE, CICS TS has no internal security function. Instead of CICS internal security, it issues RACROUTE calls. To support these RACROUTE calls, VSE/ESA V2.4 imported the System Authorization Facility (SAF) from MVS and introduced the BSM. Initially, the BSM protected only CICS sign-on and CICS transactions. With z/VSE V3.1.1, the BSM also supports the CICS Resource
Security Level (RSL) security for these CICS resources:
- Transient data
- Started and XPCT-checked transactions
- Application programs
- Temporary storage.
Control Terminal Users’ Access to CICS
To control the terminal users’ access to VTAM applications such as CICS, the BSM supports the resource class APPL. The users’ authority will be checked during sign-on. For example, if a user isn’t authorized to use the application DBDCCICS, the sign-on attempt will be rejected. This is an easy way to keep the user of a test CICS from using the production CICS.
General Resource Class FACILIT Y
The resource class FACILITY is for miscellaneous use by applications such as DITTO or the CICS Report Control Facility. The applications use their own resource names for access checks. For example, DITTO expects profile names of class FACLITY (e.g., DITTO.DISK.UPDATE or DITTO. DISK.INPUT) to control access to its disk accessing functions.
Flexible User Group Concept
In the past, the BSM supported the CICS security concept such as 64 transaction security keys. Instead of assigning such a security key to a user, you may connect a user to a group. For migration and maintenance reasons, we provide the groups GROUP01 through GROUP64. An installation is free to build its own groups and change the user connections as required.