Categories of CICS-supplied transactions

For the purposes of this discussion, we divide the RACF® profile definitions for your CICS®-supplied transactions into three categories. Each transaction is identified within a category that describes its use within CICS. Each category specifies the recommended security specifications you need, in terms of both the CICS transaction definitions and the corresponding RACF profiles. The three categories are:
Category 1 transactions
Transactions that are never associated with a terminal—that is, they are for CICS internal use only, and should not be invoked from a user terminal.
Category 2 transactions
Transactions that are initiated by the terminal user, or are associated with a terminal, and for which access should be restricted to specific signed-on users.
Category 3 transactions
Transactions that are either initiated by the terminal user, or are associated with a terminal, and for which access is required by all terminal users, whether signed-on or not.

The three categories contain all the required CICS transactions, which are generated in their designated groups when you initialize your CICS system definition data set (CSD). The CSD does not include the CICS sample transactions (those that are in groups starting with DFH$). Sample applications should not require RACF protection, because you are unlikely to install them on a CICS production system.

Start of changeFor details about defining CICSPlex® SM-related transactions, see Defining the CICSPlex SM transactions in a CMAS, Defining the CICSPlex SM transactions in a MAS, and Defining the CICSPlex SM transactions for a WUI. Note that unpredictable results can occur if a CICSPlex SM transaction is invoked in a region in which it is not intended to run.End of change

By default, all CICS transactions are subject to RACF protection (with the exception of category 3 transactions—see JES spool protection in a CICS environment), unless you run your CICS regions with transaction security switched off. You can do this either by:

There is no parameter on the transaction resource definition that allows you to run with transaction security on some transactions but not others. If you are running with transaction security (SEC=YES and XTRAN=YES), CICS issues a security check for each transaction attach, other than a transaction within category 3, to establish whether the user is permitted to run that transaction.

The following CICS–supplied transactions CDBN and CSXM are not subject to security checking, and are exempt from security categorization. Any security definitions for these transactions are redundant.
CDBN
DBCTL interface connection transaction
CEKL
Master terminal transaction for emergency use. This transaction can be used only at an operating system console that has the authority to issue MODIFY commands for the CICS region.
CSXM
The transaction used by CICS services to get and free a transaction environment