Security checking of transactions running under CEDF

When a transaction is run under the CEDF transaction, CICS® determines the security processing for the target transaction from the logical OR of RESSEC in the resource definitions for the target transaction and the CEDF transaction.

Table 1 shows the security checking performed for the transaction XSUB for different settings of RESSEC.

Table 1. Security checking of transactions running under CEDF
CEDF XSUB Security checking
RESSEC(YES) RESSEC(YES) Any access to CICS resources causes a security check.
RESSEC(YES) RESSEC(NO) Any access to CICS resources causes a security check. (Logical OR results in RESSEC on.)
RESSEC(NO) RESSEC(YES) Any access to CICS resources causes a security check. (Logical OR results in RESSEC on.)
RESSEC(NO) RESSEC(NO) Access to CICS resources does not cause a security check. (Logical OR results in RESSEC off.)

To achieve the expected security processing for a transaction when it runs under CEDF, ensure that RESSEC for the CEDF transaction definition is set to NO. The IBM®-supplied definition of CEDF in the DFHEDF group specifies RESSEC(YES). Definitions in the IBM-supplied groups cannot be modified, so to change the definition, copy it to another group.

When the CEBR and CECI are invoked from within EDF they are transaction-attach checked. The CMDSEC and RESSEC definitions are forced when CEBR or CECI are invoked in this environment, regardless of what is coded in their transaction definitions

When CEDF is used to test a transaction, the authorities of the user executing the CEDF transaction are taken into account, as well as those of the user executing the transaction being tested. For each resource accessed by the tested transaction, both users must have access authority, otherwise a NOTAUTH condition is raised. This applies to all resource checks: