Security for transactions started with EXEC CICS RUN TRANSID

A CICS® transaction can initiate other transactions by means of an EXEC CICS RUN TRANSID command. You can use CICS RACF® security to control who can initiate other transactions using the RUN TRANSID command.

When a transaction issues an EXEC CICS RUN TRANSID command, CICS calls RACF to check that the user of the transaction issuing the command is authorized for the started transaction.

To implement security for asynchronous transactions, you need to do the following:
  1. Specify SEC=YES as a CICS system initialization parameter (and SECPRFX if you define profiles with a prefix).
  2. Specify RESSEC(YES) in the CSD resource definition of the parent transactions that issue EXEC CICS RUN TRANSID commands.

    This ensures that when a child transaction is started by an EXEC CICS RUN TRANSID command, CICS calls RACF to check that the userid associated with the transaction is authorized to attach the transaction.

  3. Specify XPCT=YES for the default resource class names of ACICSPCT and BCICSPCT (or XPCT=class_name for user-defined resource class names).
  4. Define profiles to RACF in the ACICSPCT or BCICSPCT resource classes (or their equivalent if you have user-defined resource class names) using the name of the started child transaction to identify the profiles.
  5. Specify XTRAN=YES for the default resource class names of TCICSTRN and GCICSTRN (or XTRAN=class_name for user-defined resource class names).
  6. Define profiles to RACF in the TCICSTRN or GCICSTRN resource classes (or their equivalent if you have user-defined resource class names) using the name of the started child transaction to identify the profiles.

Userid of a transaction started using EXEC CICS RUN TRANSID

A child transaction started by the EXEC CICS RUN TRANSID command runs under the USERID of the parent transaction which issued the command.

Access to resources by transactions started using EXEC CICS RUN TRANSID

  • If a transaction-routed parent transaction executes an EXEC CICS RUN TRANSID command, the started child transaction is not subject to link security.
  • If EDF is used in dual-screen mode for a transaction that issues an EXEC CICS RUN TRANSID command, the started transaction is not subject to resource access determined by the userid of the EDF terminal.

Access authorization levels

CICS requires a minimum authorization of READ for transactions started by an EXEC CICS RUN TRANSID command.