Defining the default CICS userid to RACF

For each CICS® region for which you specify SEC=YES, define a RACF® user profile whose userid matches the value of the system initialization parameter, DFLTUSER. For example, if you specify DFLTUSER=NOTSIGND, define a RACF user profile named NOTSIGND.

If you do not specify a value for the DFLTUSER parameter, the CICS-supplied default userid is CICSUSER—define a RACF user profile named CICSUSER.

Define a different default CICS userid for each CICS region if any of the following considerations applies:
To define a CICS default user with the system initialization parameter default name (CICSUSER), use the ADDUSER command with the CICS operand, as follows:
ADDUSER CICSUSER  DFLTGRP(group_id) NAME(user_name)
        OWNER(userid or group)
        PASSWORD(password)
        CICS(OPCLASS(1,2,...,n) OPIDENT(identifier) OPPRTY(priority)
             TIMEOUT(timeout_value)  XRFSOFF(xrf_sign-off_option))

The security administrator should always define the password for default userids and started tasks, instead of allowing it to default.

Each CICS region should use its own default user, as an aid to debugging. Set up a RACF default user group to keep the definitions similar.

If you have specified the system initialization parameter XUSER=YES (the default), authorize the CICS region userid to be a surrogate user of the default userid. For example:
PERMIT CICSUSER.DFHINSTL CLASS(SURROGAT) ID(cics_region_userid)

During startup, CICS "signs on" the default userid. If the default user sign-on fails (because, for example, the userid is not defined to RACF), CICS issues message DFHXS1104 and terminates CICS initialization.

When CICS successfully signs on a valid RACF userid as the default user, it establishes the terminal user data for the default user from one of the following sources: See Obtaining CICS-related data for a user for details of the sign-on process for obtaining CICS terminal operator data.
CICS assigns the security attributes of the default userid to all CICS terminals before any terminal user begins to sign on. The security attributes and terminal user data of the default user also apply to any terminals at which users do not sign on (using either the CICS-supplied CESN transaction or a user-written equivalent), unless the security has been explicitly preset by specifying a value for the USERID option in the terminal definition.
Note: Start of changeIf the default user's RACF profile specifies a non-zero TIMEOUT, that value does not apply to terminals that do not sign on.End of change

CICS also assigns the security attributes of the default userid to any “trigger level transactions” that are initiated for transient data queues without a USERID parameter.

Ensure the default userid gives at least the minimum authorities that ought to be granted to any other terminal user. In particular: