Category 2 transactions either are initiated by the terminal user, or are associated with a terminal. Restrict authorizations to initiate these transactions to userids belonging to specific RACF® groups.
For the CICS® resource definitions, the IBM®-supplied transactions are defined with the recommended RESSEC and CMDSEC options. In particular, CECI, CEDF, CEMT, CEST, and CIRP are all supplied with RESSEC(YES) and CMDSEC(YES). The mirror transactions are defined with RESSEC(YES). If you need to change any of these definitions, you can do so by copying them to another group. You are not recommended to change the supplied definitions of any other transactions.
AUDIT(FAILURES) is the default, and need not be specified.
If you do not use resource security checking, change the mirror transaction definitions to specify RESSEC(NO). Because the mirror transactions are an IBM-protected resource, first copy these definitions into your own groups and then change them.
The CICS default user requires access
to the CWBA transaction initially, even if a security analyzer is then used
to assign another user ID to the task. Ensure that the CICS default user that
is specified in the DFLTUSER system initialization parameter
has access to this transaction. If you use the supplied CLIST DFH$CAT2 to
create a WEBUSER RACF profile, then the default user would need to have
access to this profile.
You are recommended to define CMAC—the CICS "messages and codes" transaction — and CSGM — the "good morning" transaction — (or, if your installation does not use CSGM, whatever transaction is defined as GMTRAN) as UACC(READ) in a group of their own, because all users need access to them. If your installation uses CSGM as its "good morning" transaction, users who are not authorized to use CSGM will receive message DFHAC2002 when they attempt to use CICS. Also include your "goodnight" transaction in this group, if you defined one with the GNTRAN system initialization parameter
The sample CLIST DFH$CAT2 (in library CICSTS31.CICS.SDFHSAMP) can help you define the category 2 profiles to RACF. If you want to use this example setup, review this CLIST and make the changes necessary for your installation before running it. If you want to use a different setup, you can adapt this CLIST, or provide your own.
Figure 1 shows how to use RDEFINE and PERMIT commands to define the example groups for category 2 transactions.
RDEFINE GCICSTRN SYSADM UACC(NONE)
ADDMEM(CCRL,CDBC,CEMT,CETR,CEDA,CIND,CESD,CREA)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT SYSADM CLASS(GCICSTRN) ID(sysgrp1,..,sysgrpz) ACCESS(READ)
RDEFINE GCICSTRN DEVELOPER UACC(NONE)
ADDMEM(CADP,CEDF,CEBR,CECI,CECS,CEDB,CEDX)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT DEVELOPER CLASS(GCICSTRN) ID(devgrp1,..,devgrpz) ACCESS(READ)
RDEFINE GCICSTRN INQUIRE UACC(NONE)
ADDMEM(CDBI,CEDC,CREC)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT INQUIRE CLASS(GCICSTRN) ID(inqgrp1,..,inqgrpz) ACCESS(READ)
RDEFINE GCICSTRN OPERATOR UACC(NONE)
ADDMEM(CWTO,CRTE,CMSG,CEST,CEOT,CIDP,CSFE,DSNC,CBAM)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT OPERATOR CLASS(GCICSTRN) ID(opsgrp1,..,opsgrpz) ACCESS(READ)
RDEFINE GCICSTRN DBCTL UACC(NONE)
ADDMEM(CDBC,CDBI,CDBM,CDBT)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT DBCTL CLASS(GCICSTRN) ID(dbctgrp1,..,dbctgrpz) ACCESS(READ)
RDEFINE GCICSTRN INTERCOM UACC(NONE)
ADDMEM(CEHP,CEHS,CPMI,CSHR,CSMI,CSM1,CSM2,CSM3,CSM5,CVMI,CDFS,CTIN)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT INTERCOM CLASS(GCICSTRN) ID(intrgrp1,..,intrgrpz) ACCESS(READ)
RDEFINE GCICSTRN ALLUSER UACC(READ)
ADDMEM(CMAC,CRTX,CSGM)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT ALLUSER CLASS (GCICSTRN) ID(allrgrp1,..,allrgrpz) ACCESS(READ)
RDEFINE GCICSTRN WEBUSER UACC(NON)
ADDMEM(CWBA)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT WEBUSER CLASS (GCICSTRN) ID(webrgrp1,..,webgrpz) ACCESS(READ)
RDEFINE GCICSTRN RPCUSER UACC(NON)
ADDMEM(CRPA,CRPC,CRPM)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT RPCUSER CLASS (GCICSTRN) ID(rpcrgrp1,..,rpcrgrpz) ACCESS(READ)
RDEFINE GCICSTRN IIOPUSER UACC(NONE)
ADDMEM(CIRP)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT IIOPUSER CLASS (GCICSTRN) ID(iiopgrp1,..,iiopgrpz) ACCESS(READ)
RDEFINE GCICSTRN AFFINITIES UACC(NONE)
ADDMEM(CAFF,CAFB)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT AFFINITIES CLASS(GCICSTRN) ID(affngrp1,..,affngrpz) ACCESS(READ)
RDEFINE GCICSTRN PIPEUSER UACC(NONE)
ADDMEM(CPIH,CPIL,CPIQ,CPIA)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT PIPEUSER CLASS(GCICSTRN) ID(pipeline_access_list)
Transaction | CSD group | Program invoked | Description |
---|---|---|---|
CADP | DFHDP | DFHDPLU | Application debugging profile manager |
CIDP | DFHDPIN | Inactivate debugging profiles utility | |
CREA | DFHADST | DFHADDRM | Request Model creation transaction |
CREC | DFHADDRM | Request Model creation transaction | |
CTIN | DFHCLNT | DFHZCT1 | CICS client CTIN transaction |
CMAC | DFHCMAC | DFHCMAC | Displays CICS messages online |
CWTO | DFHCONS | DFHCWTO | Writes to console operator |
CDBC | DFHDBCTL | DFHDBME | DBCTL interface menu transaction |
CDBI | DFHDBIQ | DBCTL interface inquiry transaction | |
CDBM | DFHDBMP | DBCTL operator transaction | |
CDBT | DFHDBDSC | DBCTL interface disconnection transaction | |
DSNC | DFHDB2 | DFHD2CM1 | DB2® attachment facility transaction |
CDBT | DFHDBDSC | DBCTL | Provides disconnection transaction |
CEDF | DFHEDF | DFHEDFP | Provides execution diagnostic facility |
CEDX | DFHEDFP | Execution diagnostic facilty for non-terminal tasks | |
CEBR | DFHEDFBR | Browse temporary storage | |
CSFE | DFHFE | DFHFEP | Tests field engineering terminal |
CIRP | DFHIIOP | DFJIIRP | IIOP request processor |
CIND | DFHINDT | DFHINDT | Provides the in-doubt test tool |
CECI | DFHINTER | DFHECIP | CICS command interpreter |
CECS | DFHECSP | Checks CICS command syntax | |
CDFS | DFHISC | DFHDFST | Dynamic starts with interval |
CEHP | DFHCHS | Provides CICS OS/2 remote server mirror | |
CEHS | DFHCHS | Provides CICS/VM remote server mirror | |
CPMI | DFHMIRS | Provides CICS OS/2 LU6.2 mirror | |
CRTE | DFHRTE | Provides start transaction routing session | |
CRTX | N/A | Provides default dynamic routing transaction | |
CSHR | DFHMIRS | Scheduler services remote routing | |
CSMI | DFHMIRS | Provides ISC mirror transaction | |
CSM1 | DFHMIRS | Provides ISC SYSMSG model | |
CSM2 | DFHMIRS | Provides ISC scheduler model | |
CSM3 | DFHMIRS | Provides ISC queue model | |
CSM5 | DFHMIRS | Provides ISC DL/I model | |
CVMI | DFHMIRS | Provides LU6.2 synclevel 1 mirror | |
CMSG | DFHMSWIT | DFHMSP | Provides message switching |
CEMT | DFHOPER | DFHEMTP | Processes master terminal command |
![]() ![]() |
![]() ![]() |
![]() ![]() |
|
CEOT | DFHEOTP | Inquires on user's own terminal status | |
CEST | DFHESTP | Processes supervisor terminal command | |
CETR | DFHCETRA | Provides inquire and set trace options | |
![]() ![]() |
![]() ![]() |
![]() ![]() |
|
CRPA | DFHRPC | DFHRPAS | ONC/RPC Alias transaction |
CRPC | DFHRPC00 | ONC/RPC Update transaction | |
CRPM | DFHRPMS | ONC/RPC Server controller | |
CESD | DFHSDAP | DFHCESD | Provides shutdown assist transaction |
CEDA | DFHSPI | DFHEDAP | Provides resource definition online—full |
CEDB | DFHEDAP | Provides resource definition online—restricted | |
CEDC | DFHEDAP | Views resource definition online | |
CSGM | DFHVTAM | DFHGMM | Provides CICS good morning message |
CWBA | DFHWEB | DFHWBA | CICS web support alias transaction |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
|
![]() ![]() |
![]() ![]() |
![]() ![]() |
|
![]() ![]() |
![]() ![]() |
![]() ![]() |