For the purposes of this discussion, we divide the RACF® profile definitions for your CICS®-supplied
transactions into three categories. Each transaction is identified within
a category that describes its use within CICS. Each category specifies the
recommended security specifications you need, in terms of both the CICS transaction
definitions and the corresponding RACF profiles. The three categories are:
- Category 1 transactions
- Transactions that are never associated with a terminal—that is, they are
for CICS internal use only, and should not be invoked from a user terminal.
- Category 2 transactions
- Transactions that are initiated by the terminal user, or are associated
with a terminal, and for which access should be restricted to specific signed-on
users.
- Category 3 transactions
- Transactions that are either initiated by the terminal user, or are associated
with a terminal, and for which access is required by all terminal users, whether
signed-on or not.
The three categories contain all the required CICS transactions, which
are generated in their designated groups when you initialize your CICS system
definition data set (CSD). The CSD does not include the CICS sample transactions
(those that are in groups starting with DFH$). Sample applications should
not require RACF protection, because you are unlikely to install them on a
CICS production system.
For details about defining CICSPlex® SM-related
transactions, see Defining the CICSPlex SM transactions in a CMAS, Defining the CICSPlex SM transactions in a MAS,
and Defining the CICSPlex SM transactions for a WUI. Note that unpredictable
results can occur if a CICSPlex SM transaction
is invoked in a region in which it is not intended to run.
By default, all CICS transactions are subject to RACF protection (with
the exception of category 3 transactions—see
JES spool protection in a CICS environment),
unless you run your CICS regions with transaction security switched off. You
can do this either by:
- Specifying the system initialization parameter SEC=NO, which switches
off all security checking, or
- Specifying the system initialization parameter XTRAN=NO, which switches
off transaction-attach security checking only.
There is no parameter on the transaction resource definition that allows
you to run with transaction security on some transactions but not others.
If you are running with transaction security (SEC=YES and XTRAN=YES), CICS
issues a security check for each transaction attach, other than a transaction
within category 3, to establish whether the user is permitted to run that
transaction.
The following CICS–supplied transactions CDBN and CSXM are not
subject to security checking, and are exempt from security categorization.
Any security definitions for these transactions are redundant.
- CDBN
- DBCTL interface connection transaction
- CEKL
- Master terminal transaction for emergency use. This transaction can be
used only at an operating system console that has the authority to issue MODIFY
commands for the CICS region.
- CSXM
- The transaction used by CICS services to get and free a transaction environment