Resource Classes for ESMAC and Operator Command Security

Note: The Enterprise Server Monitor and Control (ESMAC) interface has been deprecated. Micro Focus no longer supports ESMAC and will remove the feature in a future release. It has been provided for backward compatibility only. Micro Focus strongly recommends that you adopt the Enterprise Server Common Web Administration (ESCWA). See Enterprise Server Common Web Administration (ESCWA) for more information.
The list below defines the name of each default resource class used in Enterprise Server for ESMAC and operator command security, its meaning, the type of resource entities it contains, and the minimum permission that a user requires on the entities.
DCBINFO
A class that controls who can access to the DCB information for cataloged datasets in ESMAC for a LDAP secured region.
Entity
dataset name
Access levels
If a user has an 'update' or 'alter' access to this resource, they can modify the dataset characteristics from the catalog page in ESMAC from the DCB link.

If a user has 'Read' access to this resource, they can view the DCB info page from ESMAC, but cannot make any changes to the file properties.

If a user has 'None' permission access to this resource, they cannot view the DCB info page from ESMAC.

OPERCMDS
Relation
Class for operator commands used by the casstart, casstop, casfile, cassub, cassub.content, casout, and the following ESMAC pages:
  • JES Control (casrdo44) which disables job submission and initiator/printer starts; requires any access.
  • JES Alias (casrdo49) which disables update and delete of alias'; requires update access.
Note: The cassub.content resource class controls authorization for remote JCL submission by content.

Job submission through the IDE follows the same security rules as ESCWA and ESMAC. Therefore the user submitting a job through the IDE must have update access specified in the cassub entry.

Entities
Entity Description
JESALIAS If the user has 'Update' access to this resource, they are able to update or delete entries from the Alias table. If the user only has 'Read' access to this resource, the Update and Delete options are not available. If the user has 'None' access to this resource, they cannot access the Alias table at all.
DIAGS

Enables you to control who can access the console, the traces, and any dumps in ESMAC for a LDAP-secured region.

If the user has 'read' or 'update' or 'alter' access to this resource, they are able to view the diagnostics, such as console.log, aux traces and dumps from ESMAC.

If the user has 'None' access to this resource, they cannot view the diagnostics from ESMAC.

Access Level
None, Read, or Update.
MFESMAC
Relation
MAC Class for controlling access to ESMAC Resources.

An attempt has been made to match the Entities listed below with the individual flags that are available for each user as defined in the old CICS Resource definition.  For each "flag" there are three states:  None, Read, Update.

Entities
Entity Description
TABLE This is the equivalent of the "Master" flag within the CICS RDT file.    If your user has "Update" access to this resource then they will have the ability to interact with the majority of ESMAC function. Primary items controlled by this setting are the appearance of the buttons for controlling the SEPS (Tracing, Stopping), Stopping the Server, Accessing the console.log, trace data, dump data, and the list of currently active ACEEs. If a user has "None" then they will not be shown any buttons other than the Server Status Button and the Monitoring button in addition to the Chg User button which allows them to sign-on.  The basic effect of no access to this resource is that they are treated in the same way as an unauthenticated user.  If they have "Read" access they will be shown the options but will be unable to perform any updates.   If they have "Update" access or greater than they have full control of these functions.
GRP This resource controls access to the buttons under the Resources list when the By Group selection is used.  If the user has "Update" access to this resource, they will be able to access all the buttons that appear under the Resources list when the By Group selection is made.

The user also needs "Update" access, as well as the corresponding permission for a particular resource, in order to modify resources, including delete.

GRP controls just the Groups button in ESMAC under By Group. It also acts as a upper level control for the resources which are added into groups.

GRP also controls the By Type dropdown in ESMAC. If the user has no access to GRP resource, the user is not able to view any of the resources and the By Type does not display the list of resource types in the sidebar.

Note: To be able to modify any resource that is associated with a group, the user needs to have alter access to the corresponding resource class in addition to alter access to the GRP resource.
IMS This controls access to the buttons under the Resources drop down when the IMS selection is utilized.  See notes on GRP for details on the access rights.
JCL This controls access to the buttons under the Resources drop down when the JES selection is utilized.  See notes on GRP for details on the access rights.
BAT, DCT, DOC, FCT, ICE,  JCT, MPR, PCT, PLT, PPT, RNL, SIT, SNT, SUP, SYS6, SYSC, TCP, TCT, TERM, TST, TTYPE, URI, XAT, XLT This controls the access a user has to the various resources (for example, DCT, PCT, FCT) when selected via the By Type or Active menus under the Resources list.   "None" indicates that they can do nothing with this resource type, "Read" indicates that they can see the current settings, and "Update" indicates that they can modify the entries of this type.

For example, if a user has READ access to PCT*, they will have the ability to view any PCTs defined to the system, but will not be able to update the entries. If the user has "Update" access then he or she can change and even install new ones. Assuming appropriate CINS authority.

The resources listed above also control access to specific pages. For example, a page is primarily the DCT details for a DCT entry then attempting to access this page with no authority will result in you being directed to a "Sign-on" screen.

ENV

This controls whether a user has access to view the environment variable settings of an enterprise server by enabling or disabling the Env. Vars. button or using a direct URL.

To use this entity, create a new element (ENV*) in the LDAP schema in the CN=MFESMAC group below CN=Enterprise Server Resources. Configure the group or the user access rights using the microfocus-MFDS-Resource-ACE attribute - set ACE=deny:SYSADM group:read (disables the Env. Vars. button in ESMAC) or ACE=allow:SYSADM group:read (enables Env. Vars. in ESMAC).

TCLS

This controls whether a user has access to view the transaction class settings of an enterprise server by enabling or disabling the TranClass button or using a direct URL.

To use this entity, create a new element (TCLS*) in the LDAP schema in the CN=MFESMAC group below CN=Enterprise Server Resources. Configure the group or the user access rights using the microfocus-MFDS-Resource-ACE attribute - set ACE=deny:SYSADM group:read (disables the TranClass button in ESMAC) or ACE=allow:SYSADM group:read (enables TranClass in ESMAC).

MQL

This controls whether a user has access to view MQ listener and writer settings of an enterprise server in ESMAC.

To use this entity, create a new element (MQL*) in the LDAP schema in the CN=MFESMAC group below CN=Enterprise Server Resources.

Use the microfocus-MFDS-Resource-ACE attribute to configure the group or the user access rights. For example:

  • ACE=deny:SYSADM group:read - denies access to any MQ listeners and writers in ESMAC
  • ACE=allow:SYSADM group:read - enables users to view the MQ listeners and writers in ESMAC
  • ACE=allow:SYSADM group:alter - enables users to alter MQ listeners and writers in ESMAC
BDL This controls access to the ESMAC bundle button under the Resources drop down in ESMAC. Bundle is part of CICS WebServices. In order for Bundle to appear in ESMAC the correct CCSID tables need to be installed. See CCSID Conversion Tables for more information.
PIP This enables full access to any ESMAC PIPELINE Screen.
WEB This controls access to any ESMAC WEBSERVICE Screen.
THH This controls access to any ESMAC THRESHOLD Screen.
Access Level
None, Read, Update.