Transaction security

Transaction security ensures that users that attempt to run a transaction are entitled to do so. You might come across the alternative terms of attach-time security or transaction-attach security to describe transaction security. Transaction security is the most fundamental form of security checking that is required to secure a CICS region and its application; you should always enable transaction security. Without transaction security, any user who has access to CICS can run any transaction without even needing to sign on.

The security section of the documentation assumes that transaction security is enabled.

Transaction security checking applies to all user transactions and CICS transactions in Category 2. (Category 1 and Category 3 transactions are not checked.) You cannot turn transaction security on or off for an individual transaction.

See Transactions in CICS for an introduction to CICS transactions and their categorization.

The XTRAN system initialization parameter controls transaction security. CICS issues an authorization request for every transaction, regardless of how it was started. The user ID that is used for authorization is the user ID that is associated with the request. For details of user IDs, see How it works: Identification in CICS.

Figure 1 shows how transaction security works.
Figure 1. Transaction security
Transaction security
In this process:
  1. The user initiates a transaction.
  2. CICS checks that the transaction is active (XTRAN=ON) and calls RACF to determine if the user has enough access rights for the transaction.
  3. RACF checks the currently active transaction resource profile and returns a yes or no decision to CICS. RACF also logs the activity.
  4. CICS then allows or denies the user access.

CICS and RACF process the authorization request using profiles for each transaction in RACF resource classes. You define these profiles either in the default RACF resource classes for CICS (TCICSTRN or GCICSTRN), or in your own classes. The CICS transactions, except sample transactions in Category 2, are generated in the designated groups when you initialize the CICS system definition data set (CSD) or during installation. You identify your transactions to RACF using the transaction names that you have assigned to them. See RACF classes and profiles for resources for more information about the RACF resource classes.

The currently active transaction profile is used for authorization checking. To understand this, see Refreshing profiles for SETROPTS RACLIST processing.

To set up transaction security:
  • Set the XTRAN system initialization parameter. Always have XTRAN on.
  • Set up RACF profiles to specify which user is authorized to run a transaction. For an example, see How it works: Securing CICS with RACF.