The system log is used only for recovery purposes—for example, during dynamic transaction backout, or during emergency restart. Do not use it for any other purpose. Do not, therefore, write to it from a user application using the WRITE JOURNALNAME command.
RDEFINE JCICSJCT DFHLOG UACC(NONE) NOTIFY(sys_admin_userid)
In addition to the automatic journaling and forward recovery logging that CICS performs for user transactions (depending on the options in the file resource definitions), user applications can also write user journal records using the WRITE JOURNALNAME command.
Users needing to write journal records must have authority to write to the JOURNALNAME (as defined in JCICSJCT). CICS calls RACF® to perform a security check only for attempts to access a user journal by a CICS API command, and not for the journaling it performs in response to journaling options in the file resource definition. The CICS API does not provide a READ command for reading journals from a CICS transaction. For this reason, with proper exercise of control over the installation of applications on your CICS systems, you might consider it unnecessary to add RACF protection for journals that cannot be read from within CICS.
RDEFINE KCICSJCT userjnls UACC(NONE)
ADDMEM(JRNL001, JRNL002, ....)
NOTIFY(sys_admin_userid)
PERMIT userjnls CLASS(KCICSJCT) ID(group_userid) ACCESS(UPDATE)