Start of change

Multilevel security and row-level security

DB2 Version 8 introduced support for multilevel security. CICS does not provide specific support for multilevel security, but you can use CICS in a multilevel-secure environment provided that you take care with the configuration.

For more information about multilevel security, see:

When multilevel security is implemented at row level (row-level security) for data in DB2 Version 8 or later, the RACF SECLABEL class is activated, and a set of security labels is defined for users and for the DB2 table rows. The RACF options SETR MLS and MLACTIVE are not required to be active. You can use DB2 row-level security without impact on the rest of the MVS system.

CICS is able to access DB2 rows secured in this way. For CICS, you need to ensure that the RACF user profile for a CICS user that needs access to the DB2 rows is defined in RACF to include a default SECLABEL. The z/OS Security Server RACF Security Administrator's Guide, SA22-7683, explains how to do this.

When a CICS user signs on to a CICS region with SEC=YES specified in the SIT, RACF associates the default SECLABEL with the RACF access control environment element (ACEE) for the user. The DB2ENTRY definition (or DB2CONN definition if the pool is being used) needs to specify AUTHTYPE=USERID or AUTHTYPE=GROUP, which ensures the ACEE is passed on to DB2 for further security checking. An individual CICS user can therefore only have one associated SECLABEL.

For non-terminal tasks or programs, such as PLT programs, if the PLTPIUSR system initialization parameter is not specified and the PLTPISEC=NONE system initialization parameter is specified, PLT programs are run under the CICS region userid. In this case, you need to define the CICS region userid with a default SECLABEL. If you need to define different SECLABELS for a transaction, you would need to run each transaction in a separate CICS region which has a different CICS region userid and associated SECLABEL.

Related concepts
Security in a CICS DB2 environment
Controlling access to DB2 resources in CICS
Providing authorization IDs to DB2 for the CICS region and for CICS transactions
End of change [[ Contents Previous Page | Next Page Index ]]