Controlling access to CICS from specific ports of entry

During sign-on processing, CICS® issues a request to RACF® to verify the user's password, and to check whether the user is allowed to access that terminal. This check is also performed for the userid specified for preset security terminal definitions. Autoinstalled consoles that are using automatic sign-on are treated as though they have a preset security definition (see Preset terminal security). If the terminal is not defined to RACF, RACF responds to CICS according to the system-wide RACF option specified by the SETROPTS command. The options are as follows:
TERMINAL(READ)
With this option in force, terminal users can sign on at any terminal covered by a profile to which they have been permitted access, or at any terminal not defined as protected by RACF.
TERMINAL(NONE)
With this option in force, terminal users can sign on at only those terminals with specific terminal profiles defined to RACF, and which they are authorized to use.
Note: The TERMINAL class does not control access from MVS consoles. These are controlled by the CONSOLE resource class. See Console profiles.

You can override the system-wide terminal options at the RACF group level by means of the group terminal options, TERMUACC or NOTERMUACC.

See Universal access authority for undefined terminals for more information about the SETROPTS command for terminals, and about the TERMUACC|NOTERMUACC option on groups.