IBM Support

CICS resource security for files and transactions

Technote (FAQ)


Question

You would like to better understand how to set up and use CICS resource security checking for files and transactions. You set up CMDSEC and have secured all CICS system transactions like CECI and CEMT that can access your VSAM files. But, now you want to know how to set up security on certain VSAM files and the application transactions that access the files.

Answer

To use RACF security checking in CICS, in your system initialization table (SIT) you specify SEC=YES. Then you define each RACF resource level checking that is to be done by using the

     XDCT, XFCT, XJCT, XPCT, XPPT, XPSB, and XTST
SIT parameters.

If you specify the XFCT parameter then CICS performs file resource security checks. Checking is performed every time a transaction tries to access a file managed by CICS File Control.

When XFCT=YES is specified CICS calls RACF, using the default resource class name prefixed by FCICSFCT and or the grouping class name HCICSFCT, to verify that the userid associated with a transaction is authorized to use the file referenced by the transaction. If you specify XFCT=NO, CICS does not perform any file access authority checks and thus allows any user to access files associated or referenced by the transaction. XFCT would come in handy if you have given a user access to a transaction but do not want them to be able to access all the files that this transaction can get to.

There are few other common transaction related security checking features available to you in CICS.

  • If you specify the XPCT parameter then CICS performs application started transaction security checks. Checking is performed every time a transaction tries to start another transaction by using the EXEC CICS START command.

    When XPCT=YES is specified CICS calls RACF, using the default resource class name prefixed by ACICSPCT and or the grouping class name BCICSPCT, to verify that the user of the transaction issuing the command is authorized for the started transaction. If you specify XPCT=NO, CICS does not perform any started transaction authority checks and thus allows any user to use EXEC CICS START commands to invoke other transactions.

  • If you specify the XPPT parameter then CICS performs application program resource security checks. Checking is performed every time a transaction tries to invoke another program by using one of the CICS commands: LINK, LOAD, or XCTL.

    When XPPT=YES is specified CICS calls RACF, using the default resource class name prefixed by MCICSPPT and or the grouping class name NCICSPPT, to verify that the userid associated with a transaction is authorized to use the LINK, LOAD, or XCTL commands to invoke other programs. If you specify XPPT=NO, CICS does not perform any application program authority checks and thus allows any user to use LINK, LOAD, or XCTL commands to invoke other programs.

  • If you specify the XTRAN parameter then CICS performs transaction-attach security checks. With XTRAN=YES specified CICS calls RACF to verify that the userid associated with the transaction is permitted to run the transaction.

    When XTRAN=YES is specified CICS calls RACF, using the default CICS resource class name of TCICSTRN and (or) the grouping class name GCICSTRN, to verify that the userid associated with the transaction is authorized to run the transaction. If you specify XTRAN=NO, CICS does not perform any transaction-attach security checks, and thus allows any user to run any transaction.

Product Alias/Synonym

CICS/TS CICS TS CICS Transaction Server

Document information

More support for: CICS Transaction Server
Security

Software version: 3.1, 3.2, 4.1, 4.2

Operating system(s): z/OS

Reference #: 1366635

Modified date: 27 March 2012


Translate this page: