AnsweredAssumed Answered

Securing CEMT SET/PERFORM/DISCARD

Question asked by BobBridges.real on Nov 21, 2018
Latest reply on Nov 27, 2018 by BobBridges.real

My CICS administrator wants to qualify access to CEMT, allowing everyone to do INQUIRY but restricting SET, PERFORM and DISCARD to herself.  I'm experimenting in the test region (let's name it CICSTEST), aiming to limit my own access in the desired way before trying to make the definition general.  But I'm not seeing the results I want; I think I could use some expert input.  Here's the current status:

 

1) Before I started, I saw that INQUIRE and SET were in each region's BYPLIST:

 

TSS9570I BYPASS TABLE DISPLAY FOR FACILITY  <CICSTEST>
TSS9571I RESOURCE=CEMT     BYPASS  NAMES:   INQUIRE  SET

 

So I removed SET from the BYPLIST using the following comMand: "TSS MODIFY FAC(CICSTEST=BYPREM(CEMT=SET))".  At least I think that was the command I used; it was a while ago.  At any rate, now INQUIRE but not SET is shown in the BYPLIST.  Then I refreshed my ID.

 

2) In the SPI class, two permissions:the CICS administrator's profile has SPI(**) ACCESS(ALL), and the ALL record has SPI(**) ACC(INQUIRE).

 

3) In my own ID, OTRAN(CEMT) ACC(EXECUTE) FAC(CICSTEST)

 

This works to the extent that I cannot execute CEMT in the prod region, and can in test.  But I'm nevertheless able to use SET to enable and disable a transaction, so I'm not being limited to ACC(INQUIRE) as I desire.  What am I missing?  I've never done this before—perhaps it's obvious—so I'm floundering a little.

Outcomes