Terminal user security

To secure resources from unauthorized access, CICS® requires some means of uniquely identifying individual users of the system.

For this purpose, first define the users to RACF® by creating an entry in the RACF database, referred to as a user profile. To identify themselves to CICS, users sign on by specifying their RACF user identification (user ID) and the associated password, or operator identification card (OIDCARD) in the CICS-supplied sign-on transaction, CESN. Alternatively, they can use an equivalent transaction developed by your own installation by issuing the EXEC CICS SIGNON command provided for this purpose.

When users enter the CESN transaction, CICS verifies user IDs and passwords by a call to RACF. If the terminal user sign-on is valid, the CICS user domain keeps track of the signed-on user. Thereafter, CICS uses the information about the user when calling RACF to make authorization checks. You can use the GMTRAN system initialization parameter to control what happens if the user fails to complete the sign-on. For example, all subsequent transactions use the CICS default user ID, or the terminal session is disconnected.

See Terminal profiles for information about the terminal security facilities provided by RACF. See Verifying CICS users for information about using terminal user security in CICS.

For some terminals, and for MVS™ consoles which are used as CICS terminals, it may be appropriate to use preset terminal security. Preset terminal security allows you to associate a user ID permanently with a terminal that is defined to CICS. This means that CICS implicitly signs on the terminal when it is being installed, instead of the terminal being signed on subsequently. Preset security is often defined for devices without keyboards, such as printers, at which users cannot sign on.

You can also use this form of security on ordinary display terminals as an alternative to terminal user security. This permits anyone with physical access to a terminal with preset security to enter the transactions that are authorized for that terminal, without the need to sign on to CICS. The terminal remains signed on as long as it is installed, and no explicit sign-off can be performed against it. If the user ID associated with a display terminal with preset security authorized to use any sensitive transactions, ensure that the terminal is in a secure location to which access is restricted. For example, terminals physically located within a CICS network control center might be appropriate for preset security.