CICS EDF Tool - Read Only Mode

This RFE is satisfied by CICS TS 5.4 which is generally available from today June 16th 2017.
For more information see the announcement letter https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=an&subtype=ca&supplier=897&letternum=ENUS217-113

CICS TS 5.4 provides a read-only form of CEDF called CEDG and a read-only form of CEDX called CEDY.

This RFE is satisfied by CICS TS 5.4 which was announced on May 16th 2017 with a planned general availability date of June 16th 2017.
For more information see the announcement letter https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=an&subtype=ca&supplier=897&letternum=ENUS217-113

CICS TS 5.4 provides a read-only form of CEDF called CEDG and a read-only form of CEDX called CEDY.

This is something we would like to address. The RFE is being moved into 'Planned for Future release' status. Please note:
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

For a read-only EDF, modifying storage and the EIB would be disabled, NOOPing the command would be disabled, abending the the task would be disabled, invoking CECI and CEBR (although CEBR browses a queue, it also allows purge of a queue which should be disallowed) would be disabled. The only input from a screen that would be accepted would be to specify STOP conditions when using EDF.

A question that arises is how should it be activated?

One option would be to have new transaction ids, so perhaps CEDG would be the read-only form of CEDF and CEDY could be the read-only form of CEDX. That way you can use transaction-attach security and specify which userids are allowed to attach CEDF and which are allowed to attach CEDG etc.

Another option would be to keep the same CEDF and CEDX transaction ids, but to have an additional security check. Today EDF does two TRANSATTACH security checks, ie to check the userid is allowed to attach CEDF and then a second check to check that CEDF is allowed to attach the user transaction. What if there was a third security check, this time using TRANSACTION resource security rather than TRANSATTACH. Transaction resource security is normally used for resource checks when doing EXEC CICS INQUIRE/SET TRANSACTION commands. This third security check would be something you opt in to, ie by default CEDF would be read/write. However if you defined a profile that had READ access to transactions CEDF and CEDX this could be the trigger for CEDF and CEDX to run in read-only mode. The idea would be you would allow anyone to attach CEDF and CEDX but assign all userids (except the privileged few), to have read access to CEDF and CEDX. Hence everyone except a privileged few can only run the read-only version in production. Test regions that run with security would need to use different profiles to allow use of read/write CEDF in test..

Any thoughts/comments ?

Due to processing by IBM, this request was reassigned to have the following updated attributes:
Brand - Servers and Systems Software
Product family - Transaction Processing
Product - CICS Transaction Server

For recording keeping, the previous attributes were:
Brand - WebSphere
Product family - Transaction Processing
Product - CICS Transaction Server

This is something we would like to investigate. It is a candidate for a future release.