Additional security controls, beyond those enabled by product installation and configuring security with the default settings,
can be enabled for greater
enterprise server region security.
ESF resource classes
There are some optional resource classes which are not defined by the default security configuration shipped with
Enterprise Server. Defining these classes and installing appropriate resource access control rules can significantly improve security.
This topic assumes that the External Security Facility (ESF) has been configured, and a Security Manager using the
MLDAP ESM Module or
VSAM ESM Module is being used for resource access control.
See your product Help for more information on how to specify additional resource classes in the External Security Manager.
- PHYSFILE
- The
PHYSFILE resource class restricts what OS files can be used as JCL data sets.
Important: You must specify this class for any
enterprise server region which uses JES. Otherwise, any user that can submit arbitrary JCL can operate on any file on the server system, with the
permissions of the account under which the
enterprise server region is running, simply by defining a data set appropriately using a catalog entry or
PCDSN.
Under the PHYSFILE class, rules should allow one or more paths, with the appropriate level of access (typically at least one
with full access for creating new data sets, possibly some with read-only access), and deny others using a rule with the name
**.
- Communications Server
- The Communications Server class is used to restrict access to some administration features of the Communications Server process(es)
associated with each
enterprise server region. Restricting these features improves security primarily by reducing the information available to an attacker. See
Resource Classes for Communications Server in your product Help for more information.
- AdminAPI
- This class can be used to restrict access to the External Security Facility's Admin API. If the Admin API is not being used
to update security data, an appropriate rule set might be:
LIST*: allow:*:read
*: deny:*:all
This would permit only LIST functions, which are used internally by some
Enterprise Server functions.
Security checks for CICS transactions
When a CICS transaction program is executing, the security checks made by the CICS subsystem are influenced by two settings
in the CICS PCT entry for that transaction:
- Resource Level Security (RLS)
- This option controls whether access checks are made for the CICS resources (such as files, queues, and so forth) specified
in EXEC CICS statements.
- Command Security (Cmd)
- This option controls whether access checks are made if the program attempts to use any of the CICS System APIs, such as EXEC
CICS INQUIRE.
Enabling these options in the CICS transaction definitions improves security.