When a transaction is run under the CEDF transaction, CICS® determines the security processing for the target transaction from the logical OR of RESSEC in the resource definitions for the target transaction and the CEDF transaction.
Table 1 shows the security checking performed for the transaction XSUB for different settings of RESSEC.
CEDF | XSUB | Security checking |
---|---|---|
RESSEC(YES) | RESSEC(YES) | Any access to CICS resources causes a security check. |
RESSEC(YES) | RESSEC(NO) | Any access to CICS resources causes a security check. (Logical OR results in RESSEC on.) |
RESSEC(NO) | RESSEC(YES) | Any access to CICS resources causes a security check. (Logical OR results in RESSEC on.) |
RESSEC(NO) | RESSEC(NO) | Access to CICS resources does not cause a security check. (Logical OR results in RESSEC off.) |
To achieve the expected security processing for a transaction when it runs under CEDF, ensure that RESSEC for the CEDF transaction definition is set to NO. The IBM®-supplied definition of CEDF in the DFHEDF group specifies RESSEC(YES). Definitions in the IBM-supplied groups cannot be modified, so to change the definition, copy it to another group.
When the CEBR and CECI are invoked from within EDF they are transaction-attach checked. The CMDSEC and RESSEC definitions are forced when CEBR or CECI are invoked in this environment, regardless of what is coded in their transaction definitions