Defining the HFM3PARM member

If auditing is to be controlled from parmlib (user has read access to FILEM.PARMLIB.CICS, see SAF-controlled auditing for Z Data Tools CICS component), then member HFM3PARM must be defined in SYS1.PARMLIB (or any other library in the logical parmlib concatenation) as follows.

Default parmlib member HFM3PARM is provided in the SHFMSAM1 library. Copy this member to the appropriate system parmlib library. See below for details of methods that can be used to make this change.

Note: The sample HFM3PARM member supplied in SHFMSAM1 also includes a FMSECRTY statement. This option is not used at present, and can be either omitted, or commented out. It has no effect.

There are two methods that can be used to include the HFM3PARM member in a library in the logical parmlib concatenation. The choice of method depends on whether the installation's security software is configured to allow ZDT/CICS users READ access to the data set SYS1.PARMLIB.

Method 1 can only be used when ZDT/CICS users have read access to SYS1.PARMLIB.

Method 2 can be used regardless of whether ZDT/CICS users have READ access to SYS1.PARMLIB or not, and must be used when ZDT/CICS users do not have READ access to SYS1.PARMLIB.

Method 1
Place the HFM3PARM member in any library in the current logical parmlib concatenation. No IPL or other action is required to activate the new member unless a new library was added to the logical parmlib concatenation.
Notes:
  1. Method 1 cannot be used in any situation where ZDT/CICS users do not have READ access to SYS1.PARMLIB. For example, when ZDT/CICS users have READ access to another library in the logical parmlib concatenation, and the HFM3PARM member is placed in the latter library. This will not work. The key issue is whether the ZDT/CICS user has READ access to SYS1.PARMLIB.
  2. Using this method results in message IEE252I being written to the system log whenever a ZDT/CICS user accesses SYS1.PARMLIB. These messages cannot be suppressed. To avoid these messages use Method 2.
Method 2
This method must be used when ZDT/CICS users do not have READ access to SYS1.PARMLIB, or when suppression of the IEE252I messages is required.
  1. Create a new library with dataset attributes similar to SYS1.PARMLIB.
    The library name for this data set must include the string "HFMPARM" in one of the qualifiers. You can choose any data set name that meets this requirement. Examples of suitable data set names are:
    • SYS1.PARMLIB.HFMPARM
    • SYS8.HFMPARM.PARMLIB
    • HFMPARM.SYS8.PARMLIB
    • SYS2.HFMPARMS.LIB
    • SYS8.XHFMPARM.PARMLIB
  2. Add member HFM3PARM to the new library, specifying the appropriate FMAUDIT parameter.
  3. Add the new library to the logical parmlib concatenation. This can be done dynamically, or by means of a system IPL.
Note: When Method 2 is used, the HFM3PARM member must be located in the library created in step 1. If the HFM3PARM member specifies any include statements (see Facilities for customizing the HFM3PARM definitions), all of the included members must also reside in the same library.
You use the HFM3PARM member to define:
  • Whether ZDT/CICS uses SAF to control ZDT/CICS audit logging.
  • The SAF resource name prefix to be used by ZDT/CICS when determining access to various resources.
  • Whether ZDT/CICS loads the HFM3POPT module from a specific library.

For more information, see ZDT/CICS options specified in HFM3PARM.