You specify at the system level (with the SEC=YES parameter) that you want CICS to use RACF to authorize access to CICS resources. You also specify at the system level which particular CICS resources you want CICS to check by means of the Xname system initialization parameters. The full list of the CICS resource classes is shown in Table 1, each with corresponding Xname system initialization parameter.
System initialization parameter | Resource |
---|---|
XAPPC={NO|YES} | APPC partner-LU verification |
XCMD={YES|name|NO} | EXEC CICS system commands |
XDB2={NO|name} | CICS DB2® resources |
XDCT={YES|name|NO} | Transient data destinations |
XEJB={YES|NO} | Security roles is enabled. |
XFCT={YES|name|NO} | Files |
XJCT={YES|name|NO} | Journals and logs |
XPCT={YES|name|NO} | Started transactions and EXEC CICS commands:
|
XPPT={YES|name|NO} | Programs |
XPSB={YES|name|NO} | DL/I program specification blocks (PSBs) |
XTRAN={YES|name|NO} | Attached transactions |
XTST={YES|name|NO} | Temporary storage entries |
XUSER={YES|NO} | Surrogate user checking |
If you specify YES for any Xname system initialization parameter, CICS uses the default class name for that parameter. (See RACF classes for CICS resources.)
As an example, the effect of specifying SEC=YES with three of the resource class parameters specified as Xname=YES is illustrated in the following table.
System initialization parameter | Effect |
---|---|
SEC=YES | CICS initializes external security interface. |
XTRAN=YES | CICS uses the TCICSTRN and GCICSTRN resource class profiles for transaction-attach security checking. |
XFCT=YES | CICS uses the FCICSFCT and HCICSFCT resource class profiles for file access security checking. |
XPSB=YES | CICS uses the PCICSPSB and QCICSPSB resource class profiles for PSB access security checking. |
As a second example, the effect of specifying SEC=YES with the same three associated resource class parameters specified as Xname=username is shown in Table 3.
System initialization parameter | Effect |
---|---|
SEC=YES | CICS uses full RACF security support. |
XTRAN=$usrtrn | CICS uses the T$usrtrn and G$usrtrn user-defined resource class profiles for transaction-attach security checking. |
XFCT=$usrfct | CICS uses the F$usrfct and H$usrfct user-defined resource class profiles for file access security checking. |
XPSB=$usrpsb | CICS uses the P$usrpsb and Q$usrpsb user-defined resource class profiles for PSB access security checking. |
When CICS is being initialized, it requests RACF to bring resource profiles into main storage to match all the resource classes that you specify on system initialization parameters. Note that (except for XAPPC, XDB2, and XEJB) Xname=YES is the default in the system initialization parameters, and CICS will use the default classnames, for example, GCICSTRN. Supply RACF profiles for all those resources for which you do not specify Xname=NO explicitly. If CICS requests RACF to load a general resource class that does not exist or is not correctly defined, CICS issues a message indicating that external security initialization has failed, and terminates CICS initialization.
For guidance on the syntax of external security system initialization parameters, see the CICS® System Definition Guide.
The way you define the individual transaction definitions in the CSD determines whether you want to use RACF security for the resources and commands used with transactions. See Verifying CICS users and Transaction security for information about specifying resource and command security for transactions.