If the security profile for a specified resource is not retrieved, SAF
neither grants nor refuses the access request. In this situation:
IRC rejects the logon or connect request if:
- A security manager was installed, but is either temporarily inactive or
inoperative for the duration of the MVS image. This is a fail-safe action,
on the grounds that, if the security manager was active, it might retrieve
a profile that does not permit access.
IRC allows the logon or connect request if:
- There is no security manager installed, or
- There is an active security manager, but the FACILITY class is inactive,
or there is no profile in the FACILITY class. The logon is allowed in this
case because there is no evidence that you want to control access to the CICS
APPLID.
Any CICS region without a specific DFHAPPL.
applid profile,
or applicable generic profile, permits all logon and connect requests. No
messages are issued to indicate this. To avoid any potential security exposures,
you can use generic profiles to protect all, or specific groups of, regions
before, or in parallel with, security measures for specific regions. For
example, specifying
RDEFINE FACILITY (DFHAPPL.*) UACC(NONE)
ensures
that any region without a more specific profile is prevented from binding.