CICS resource class system initialization parameters

You specify at the system level (with the SEC=YES parameter) that you want CICS to use RACF to authorize access to CICS resources. You also specify at the system level which particular CICS resources you want CICS to check by means of the Xname system initialization parameters. The full list of the CICS resource classes is shown in Table 1, each with corresponding Xname system initialization parameter.

Table 1. System initialization parameters for the CICS resource classes
System initialization parameter Resource
XAPPC={NO|YES} APPC partner-LU verification
XCMD={YES|name|NO}

EXEC CICS system commands
EXEC CICS FEPI system commands

XDB2={NO|name} CICS DB2® resources
XDCT={YES|name|NO} Transient data destinations
XEJB={YES|NO} Security roles is enabled.
XFCT={YES|name|NO} Files
XJCT={YES|name|NO} Journals and logs
XPCT={YES|name|NO} Started transactions and EXEC CICS commands:
  • COLLECT STATISTICS TRANSACTION
  • DISCARD TRANSACTION
  • INQUIRE TRANSACTION
  • SET TRANSACTION
XPPT={YES|name|NO} Programs
XPSB={YES|name|NO} DL/I program specification blocks (PSBs)
XTRAN={YES|name|NO} Attached transactions
XTST={YES|name|NO} Temporary storage entries
XUSER={YES|NO}

Surrogate user checking
DB2 AUTHTYPE checking

Note:
  1. The parameters are effective only with SEC=YES.
  2. None of the parameters can be entered as a console override.

If you specify YES for any Xname system initialization parameter, CICS uses the default class name for that parameter. (See RACF classes for CICS resources.)

As an example, the effect of specifying SEC=YES with three of the resource class parameters specified as Xname=YES is illustrated in the following table.

Table 2. Specifying external security with default resource classes
System initialization parameter Effect
SEC=YES CICS initializes external security interface.
XTRAN=YES CICS uses the TCICSTRN and GCICSTRN resource class profiles for transaction-attach security checking.
XFCT=YES CICS uses the FCICSFCT and HCICSFCT resource class profiles for file access security checking.
XPSB=YES CICS uses the PCICSPSB and QCICSPSB resource class profiles for PSB access security checking.

As a second example, the effect of specifying SEC=YES with the same three associated resource class parameters specified as Xname=username is shown in Table 3.

Table 3. Specifying external security for user-defined resource classes
System initialization parameter Effect
SEC=YES CICS uses full RACF security support.
XTRAN=$usrtrn CICS uses the T$usrtrn and G$usrtrn user-defined resource class profiles for transaction-attach security checking.
XFCT=$usrfct CICS uses the F$usrfct and H$usrfct user-defined resource class profiles for file access security checking.
XPSB=$usrpsb CICS uses the P$usrpsb and Q$usrpsb user-defined resource class profiles for PSB access security checking.

When CICS is being initialized, it requests RACF to bring resource profiles into main storage to match all the resource classes that you specify on system initialization parameters. Note that (except for XAPPC, XDB2, and XEJB) Xname=YES is the default in the system initialization parameters, and CICS will use the default classnames, for example, GCICSTRN. Supply RACF profiles for all those resources for which you do not specify Xname=NO explicitly. If CICS requests RACF to load a general resource class that does not exist or is not correctly defined, CICS issues a message indicating that external security initialization has failed, and terminates CICS initialization.

For guidance on the syntax of external security system initialization parameters, see the CICS® System Definition Guide.

The way you define the individual transaction definitions in the CSD determines whether you want to use RACF security for the resources and commands used with transactions. See Verifying CICS users and Transaction security for information about specifying resource and command security for transactions.