If you run CICS as a started task, consider defining the CICS region user ID and the CICS default userid as protected user IDs.
Protected user IDs cannot be used to enter the system by any means that requires a password, such as logging on to TSO, signing on to CICS, or running a batch job that specifies a password on the JOB card. Users cannot, by inadvertently or deliberately entering an incorrect password, cause a protected user ID to be revoked.
To create a protected user ID, specify the NOPASSWORD and NOIDCARD options attributes on the user profile. For more information about protected user IDs, see z/OS Security Server RACF Security Administrator's Guide.