IBM Support

Specifying a userid for security checking when using EXCI from a batch program

Troubleshooting


Problem

You receive CICS message DFHXS111 (security violation) when submitting a batch job. Your batch program is calling a CICS transaction using the external CICS interface ( EXCI ) and you would like to use surrogate RACF security checking. You want to know how to specify a user ID, but when coding the EXEC CICS LINK command, there does not appear to be a parameter for userid.

Symptom

You want to use a surrogate - 'userid.DFHEXC'. CICS returns the following messages when the batch job is submitted with a userid in the JCL of "Jobtrac":

DFHXS1111 date time applid tranid Security violation by user
JOBTRAC for resource resource in class classname. SAF codes are
(X'00000008',X'00000000'). ESM codes are (X'00000008',X'00000000')

DFHAC2003date time applid Security violation has been
detected term id = ????, trans id = tranid, userid = JOBTRAC

ICH408I USER(JOBTRAC ) GROUP(@STCGRP ) NAME(JOBTRAC STARTED TASK)
EUEF CL(classname)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )

Cause

There are three types of EXCI security:

  • MRO logon and bind-time security
  • link security
  • user security

CICS uses the batch region's user ID for user security when you use the EXCI - EXEC CICS LINK interface. There is no way to specify a user ID on the EXEC CICS LINK command. Therefore, if you want to specify the user ID in the batch application then the EXCI EXEC interface is the wrong interface to use.

Resolving The Problem

If you would like to provide a user ID in the batch application:

  • Use the EXCI CALL interface and specify the userid on the DPL_Request call
  • Specify ATTACHCSEC(IDENTIFY) on the CICS CONNECTION definition
  • Authorize the userid that you specify on the DPL_Request call to your external security manager (ESM)

This is documented as follows in section User security of the CICS Transaction Server for z/OS (CICS TS) information center:

The target CICS server region performs user security checking against the user ID passed on a DPL_ Request call. User security checking is performed only when connections specify ATTACHCSEC(IDENTIFY).

User security is performed in addition to any link security.

For user security, in addition to any authorizations you make for link security, you must also authorize the user ID specified on the DPL_Request call.

Note that there is no provision for specifying a user ID on the EXEC CICS LINK command. In this case, the external CICS interface passes the batch region's user ID. User security checking is therefore performed against the batch region's user ID if the connection definition specifies ATTACHSEC(IDENTIFY).

If you are interested in reading about the different EXCI interfaces, this is discussed in section External CICS Interface of the CICS TS information center

[{"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Security","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"4.2;4.1;3.2;3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICS TS CICS Transaction Server

Document Information

Modified date:
15 June 2018

UID

swg21575572

Page Feedback