My CICS administrator wants to qualify access to CEMT, allowing everyone to do INQUIRY but restricting SET, PERFORM and DISCARD to herself. I'm experimenting in the test region (let's name it CICSTEST), aiming to limit my own access in the desired way before trying to make the definition general. But I'm not seeing the results I want; I think I could use some expert input. Here's the current status:
1) Before I started, I saw that INQUIRE and SET were in each region's BYPLIST:
TSS9570I BYPASS TABLE DISPLAY FOR FACILITY <CICSTEST>
TSS9571I RESOURCE=CEMT BYPASS NAMES: INQUIRE SET
So I removed SET from the BYPLIST using the following comMand: "TSS MODIFY FAC(CICSTEST=BYPREM(CEMT=SET))". At least I think that was the command I used; it was a while ago. At any rate, now INQUIRE but not SET is shown in the BYPLIST. Then I refreshed my ID.
2) In the SPI class, two permissions:the CICS administrator's profile has SPI(**) ACCESS(ALL), and the ALL record has SPI(**) ACC(INQUIRE).
3) In my own ID, OTRAN(CEMT) ACC(EXECUTE) FAC(CICSTEST)
This works to the extent that I cannot execute CEMT in the prod region, and can in test. But I'm nevertheless able to use SET to enable and disable a transaction, so I'm not being limited to ACC(INQUIRE) as I desire. What am I missing? I've never done this before—perhaps it's obvious—so I'm floundering a little.