Like a batch job, each CICS region must be able to access many external resources. The authority for CICS to access these resources is obtained from the CICS region userid. It doesn't matter which signed-on user requests CICS to perform the actions that access these resources. The external services are aware only that CICS is requesting them, under the region userid's authority.
CICS needs authority to use log streams defined in the MVS logger. See Authorizing access to MVS log streams.
CICS needs authority to open all the data sets that it uses. See Authorizing access to CICS data sets.
CICS needs authority to open all the data sets that your own application programs need. See Authorizing access to user data sets.
CICS needs authority to access temporary storage servers if any TS queues are defined as shared. See Authorizing access to temporary storage servers.
CICS needs authority to access the SMSVSAM server if you are using VSAM record-level sharing (RLS). See Authorizing access to SMSVSAM servers.
Consider carefully for each program whether you will allow it to become a VTAM application. If you do this, CICS needs authority to open its VTAM ACB. See Controlling the opening of a CICS region's VTAM ACB.
If any of your applications submit JCL to the JES internal reader, you should prevent CICS from allowing them to be submitted without the USERID parameter. See Controlling userid propagation.
However, you should not usually require your applications to provide a PASSWORD parameter on submitted jobs. So you should allow CICS to be a surrogate user of all the possible userids that may be submitted. See Surrogate job submission in a CICS environment.
CICS needs authority to access data sets in the JES spool system. See JES spool protection in a CICS environment.