Implementing Security for IMS › CICS, IMS, and CA IDMS Considerations › CICS, IMS, and CA IDMS Implementation Strategy

CICS, IMS, and CA IDMS Implementation Strategy

CICS, IMS, and CA IDMS lend themselves to a gradual implementation strategy, since they usually run in multiple regions.

Plan your implementation by region, implementing CA Top Secret in the test regions first and migrating into production. You can enter your CA Top Secret definitions through TSO, CA Roscoe, or BATCH before you interface CA Top Secret with your first selected region.

The same general mode strategies apply for all of these facilities:

• Put the region in IMPLEMENT mode so that defined users are controlled through profile access definitions and undefined users are controlled through the security native to the particular facility.
• As you define new sets of users to CA Top Secret test each set by assigning WARN mode to its profile.
• Revoke WARN mode from the profile when you are satisfied that the users are properly defined. They will then be effectively treated as though they are in FAIL mode.
• When all the users are defined and selected resources protected migrate the region to FAIL mode.

The DEFPROT attribute can control whether CICS, IMS, and CA IDMS resources are protected by default or by definition in all modes. If you choose not to give default protection to them, you can include a gradual implementation strategy for resources. An effective approach is to protect users and resources by application. This approach allows the security administration group to concentrate on the requirements of each application, and to design a security scheme that is most effective for that application. Even if the region is already in FAIL mode, you can continue to protect resources by testing the definitions with ACIDs in WARN mode, and then making those resources available to the appropriate users.