Authorizing access to the CICS region

You can restrict access by terminal users to specific CICS® regions by defining CICS APPLID profiles in the RACF® APPL class.

For this purpose, the APPLID of a CICS region is:
  • The z/OS® Communications Server generic resources name if GRNAME is specified as a system initialization parameter
  • The generic APPLID if one is specified on the APPLID system initialization parameter
  • The specific APPLID if only one is specified on the system initialization parameter
If you define a profile in the APPL class for a CICS APPLID, or a generic profile that applies to one or more CICS APPLIDs with UACC(NONE), all terminal users trying to sign on to a CICS region must have explicit access to the profile that applies to that region's APPLID, either as an individual profile, or as a member of a group. For example: 
RDEFINE APPL cics_region_applid UACC(NONE)  NOTIFY(sys_admin_userid)
You need to define only one APPL profile name in the RACF database for all the CICS regions that are members of the same z/OS Communications Server generic resources name. All sign-on verifications in a CICSplex, where all the terminal-owning regions have the same z/OS Communications Server generic resources name, are made against the same APPL profile.
For MRO only, the APPLID is propagated from the terminal-owning region (TOR) to the other regions that the user accesses — for example, from the TOR to the application-owning region (AOR), and from the AOR to the file-owning region (FOR). As a consequence:
  • You do not need to include users of the AOR and FOR in the APPL profiles for those regions.
  • You can force users to sign on through a TOR, by denying access to other APPLIDs
Use the RACF PERMIT command to add authorized users to the access list of CICS APPL profiles. For example: 
PERMIT cics_region_applid CLASS(APPL) ID(group1,...,groupn) ACCESS(READ)
permits all users defined in the listed groups to sign on to cics_region_applid.
The APPL class must be active for this protection to be in effect: 
SETROPTS CLASSACT(APPL)

Also, for performance reasons, consider activating profiles in the APPL class using RACLIST.

SETROPTS RACLIST(APPL)
If the APPL class is already active, refresh the in-storage APPL profiles with the SETROPTS command: 
SETROPTS RACLIST(APPL) REFRESH
Note:
  1. CICS always passes the APPLID to RACF when requesting RACF to perform user sign-on checks, and there is no mechanism within CICS to prevent this.
  2. RACF treats undefined CICS APPLIDs as UACC(READ).
  3. If the APPL class is active, and a profile exists for a CICS region in the APPL class, ensure that authorized remote CICS regions can sign on to a CICS region protected in this way.

See the z/OS Security Server RACF Security Administrator's Guide for more information about controlling access to applications.