Defining the default CICS user ID to RACF

For each CICS® region where you specify SEC=YES, define a RACF® user profile whose user ID matches the value of the DFLTUSER system initialization parameter.

You can use the same default user ID on all CICS regions. You can specify this default user ID on the DFLTUSER system initialization parameter, or leave DFLTUSER set to the default of CICSUSER.

Define a different default CICS user ID for each CICS region if any of the following considerations applies:

The default CICS user ID requires different security attributes (such as membership in RACF groups).
The default CICS user ID requires different operator data (CICS segment of the RACF user profile).
The default CICS user ID requires a different default language (LANGUAGE segment of the RACF user profile).

Step 1. Define the CICS default user to RACF

Use the ADDUSER command with the CICS operand to define a CICS default user to RACF.

Usually, the default CICS user ID should be defined as a protected user ID. This is particularly the case if the CICS region is a started task. Protected user IDs cannot be used to enter the system by any means that requires a password, and users cannot cause a protected user ID to be revoked. For more information, see Using protected user IDs.

Example:

The following command defines CICS default user CICSUSER as a protected user ID to RACF:

ADDUSER CICSUSER  DFLTGRP(group_id) NAME(user_name)
        OWNER(userid or group)
        NOOIDCARD 
        NOPASSWORD

Step 2. Authorize the CICS region user ID to be a surrogate user of the default user ID

If you have specified the system initialization parameter XUSER=YES (the default), authorize the CICS region user ID to be a surrogate user of the default user ID. For example, the following command authorizes a CICS region user ID to be a surrogate user of CICSUSER:

PERMIT CICSUSER.DFHINSTL CLASS(SURROGAT) ID(cics_region_userid)

Sign-on processing of the CICS default user

During startup, CICS signs on the default user ID. If the default user sign-on fails (because, for example, the user ID is not defined to RACF), CICS issues message DFHXS1104 and terminates CICS initialization.

When CICS successfully signs on a valid RACF user ID as the default user, it establishes the terminal user data for the default user from one of the following sources:

The CICS segment of the default user's RACF user profile
Built-in CICS system default values

See Obtaining CICS-related data for a user for details of the sign-on process for obtaining CICS terminal operator data.

How CICS assigns the security attributes of the default user

CICS assigns the security attributes of the default user ID to all CICS terminals before any terminal user begins to sign on. The security attributes and terminal user data of the default user also apply to any terminals at which users do not sign on (using either the CICS-supplied CESN transaction or a user-written equivalent), unless the security has been explicitly preset by specifying a value for the USERID option in the terminal definition.

Note: If the default user's RACF profile specifies a non-zero TIMEOUT, that value does not apply to terminals that do not sign on.

CICS also assigns the security attributes of the default user ID to any “trigger level transactions” that are initiated for transient data queues without a USERID parameter.

Ensure the default user ID gives at least the minimum authorities that ought to be granted to any other terminal user. In particular:

Give the default user access to the region's APPLID. See Authorizing access to the CICS region.
Give the default user access to the CICS-supplied transactions that are intended to be used by everybody. See the definitions in Identifying CICS terminal users, especially those transactions that are recommended for inclusion in the ALLUSER example group of transactions.