Information about the user can be transmitted with the attach request from the remote system. This means that you can protect your resources not only on the basis of which remote system is making the request, but also on the basis of which user at the remote system is making the request.
This topic describes some of the concepts associated with remote-user security, and how CICS sends and receives user information.
You have to define your users to RACF. If a remote user is not defined to RACF , any attach requests from that remote user are rejected.
CICS remote-user security for LU6.2 links implements the LU6.2 architecture. The LU6.2 architecture allows user identifiers, user passwords, and user profiles to be transmitted with requests to attach a transaction.
User profiles can be transmitted instead of, or in addition to, user identifiers. The profile name, if supplied, is treated as the groupid.
If the user has been added to the front-end system with a group ID explicitly specified; for example in EXEC CICS SIGNON or by filling in the GROUPID parameter on the CESN panel, this will be propagated by CICS in outbound attach FMHs for LU6.2 links where ATTACHSEC(IDENTIFY) has been specified in the CONNECTION definition. If the group ID has been allowed to default at the time the user was originally added to the front-end system, the profile field will not be included in the outbound FMH5. If the group ID is passed to the back-end system, the group ID will be used as part of ADD_USER processing on the back-end. That is, the user ID must be defined as a member of the group passed in the ESM on the back-end for the ADD_USER to be successful.
It is advisable to use the PLTPIUSR system initialization parameter if there is a possibility that a task started by PLTPI processing will access remote resources. This avoids problems in the remote region where the user ID is not in the same group as the user in the local region. This is because the PLTPI user in the local region is not added with an explicit groupid, and as a result the groupid is not propagated to the remote region.
CICS sends userids on ATTACHSEC(IDENTIFY) conversations. Table 1 shows how CICS decides which userid to send.
Characteristics of the local task | User identifier sent by CICS to the remote system |
---|---|
Task with associated terminal—user identifier | Terminal user identifier |
Task with associated terminal—no user signed on and no USERID specified in the terminal definition | Default user identifier for the local system |
Task with no associated terminal or USERID started by interval control START command (if using function shipping or distributed transaction processing (DTP)) | User identifier for the task that issued the START command |
Task started with USERID option | User identifier specified on the START command |
CICS internal system task | CICS region userid |
Task with no associated terminal started by transient data trigger | User identifier specified on the transient data destination definition that defines the queue |
Task with associated terminal started by transient data trigger | Terminal user identifier |
Task started from PLTPI | PLTPIUSR |
CICS signs off the remote user under the circumstances described in Sign-on status.