Authorizing access to the CICS region
You can restrict access by terminal users to specific CICS® regions by defining CICS APPLID profiles in the RACF® APPL class.
For this purpose, the APPLID of a CICS region
is:
- The z/OS® Communications Server generic resources name if GRNAME is specified as a system initialization parameter
- The generic APPLID if one is specified on the APPLID system initialization parameter
- The specific APPLID if only one is specified on the system initialization parameter
RDEFINE APPL cics_region_applid UACC(NONE) NOTIFY(sys_admin_userid)
You
need to define only one APPL profile name in the RACF database for all the CICS regions that are members of the same z/OS Communications Server generic
resources name. All sign-on verifications in a CICSplex, where all
the terminal-owning regions have the same z/OS Communications Server generic resources
name, are made against the same APPL profile.For MRO only, the APPLID is propagated from the terminal-owning
region (TOR) to the other regions that the user accesses — for example,
from the TOR to the application-owning region (AOR), and from the
AOR to the file-owning region (FOR). As a consequence:
- You do not need to include users of the AOR and FOR in the APPL profiles for those regions.
- You can force users to sign on through a TOR, by denying access to other APPLIDs
Use the RACF PERMIT command
to add authorized users to the access list of CICS APPL profiles. For example:
PERMIT cics_region_applid CLASS(APPL) ID(group1,...,groupn) ACCESS(READ)
permits
all users defined in the listed groups to sign on to cics_region_applid
.The APPL class must be active for this protection to be in effect:
SETROPTS CLASSACT(APPL)
Also, for performance reasons, consider activating profiles in the APPL class using RACLIST.
SETROPTS RACLIST(APPL)
If the APPL class is already active, refresh the in-storage APPL
profiles with the SETROPTS command:
SETROPTS RACLIST(APPL) REFRESH
Note:
- CICS always passes the APPLID to RACF when requesting RACF to perform user sign-on checks, and there is no mechanism within CICS to prevent this.
- RACF treats undefined CICS APPLIDs as UACC(READ).
- If the APPL class is active, and a profile exists for a CICS region in the APPL class, ensure that authorized remote CICS regions can sign on to a CICS region protected in this way.
See the z/OS Security Server RACF Security Administrator's Guide for more information about controlling access to applications.