Security for started transactions

A CICS® transaction can start other transactions by means of an EXEC CICS START command. Transactions started in this way are known as started transactions, and you can use CICS RACF® security to control who can start other transactions using the START command.

When a transaction issues an EXEC CICS START TRANSID command, CICS calls RACF to check that the user of the transaction that issues the command is authorized for the started transaction.

To implement security for started transactions and for transactions checked against the XPCT class:
  1. Specify SEC=YES as a CICS system initialization parameter (and SECPRFX if you define profiles with a prefix).
  2. Specify RESSEC(YES) in the CSD resource definition of the transactions that issue START commands.
  3. Specify XPCT=YES for the default resource class names of ACICSPCT and BCICSPCT (or XPCT=class_name for user-defined resource class names).

    This ensures that when a transaction is started by a START command, CICS calls RACF to check that the userid associated with the transaction is authorized to attach the transaction.

  4. Define profiles to RACF in the ACICSPCT or BCICSPCT resource classes (or their equivalent if you have user-defined resource class names) using the name of the started transaction to identify the profiles.
    For example, use the following commands to define a transaction in the ACICSPCT class, and to authorize one user only: 
    RDEFINE  ACICSPCT (tran1, tran2, ..., trann) UACC(NONE)
                  NOTIFY(sys_admin_userid)
PERMIT  tran1 CLASS(ACICSPCT)  ID(userid) ACCESS(READ)
PERMIT  tran2 CLASS(ACICSPCT)  ID(userid) ACCESS(READ)
    To define started transactions as members of a profile in the started transaction resource group class, with an appropriate access list, use the following commands: 
    RDEFINE  BCICSPCT  started_trans  UACC(NONE)
                   ADDMEM(trana, tranb, ..., tranx)
                   NOTIFY(sys_admin_userid)
PERMIT started_trans  CLASS(BCICSPCT) ID(group_userid) ACCESS(READ)
  5. Specify XTRAN=YES for the default resource class names of TCICSTRN and GCICSTRN (or XTRAN=class_name for user-defined resource class names).
  6. Define profiles to RACF in the TCICSTRN or GCICSTRN resource classes (or their equivalent if you have user-defined resource class names) using the name of the started transaction to identify the profiles.