CICS resource class system initialization parameters

You specify at the system level (with the SEC=YES parameter) that you want CICS® to use RACF® to authorize access to CICS resources. You also specify at the system level which particular CICS resources you want CICS to check by means of the Xname system initialization parameters.

The full list of the CICS resource classes is shown in Table 1. Each class is shown with its corresponding Xname system initialization parameter.

Table 1. System initialization parameters for the CICS resource classes
System initialization parameter	Resource
XAPPC={NO\|YES}	APPC partner-LU verification
XCMD={YES\|name\|NO}	EXEC CICS system commands EXEC CICS FEPI system commands
XDB2={NO\|name}	CICS Db2® resources
XDCT={YES\|name\|NO}	Transient data queues
XFCT={YES\|name\|NO}	Files
XHFS={YES\|NO}	z/OS® UNIX files managed by z/OS UNIX System Services
XJCT={YES\|name\|NO}	Journals and logs
XPCT={YES\|name\|NO}	Started transactions and EXEC CICS commands: COLLECT STATISTICS TRANSACTION DISCARD TRANSACTION INQUIRE TRANSACTION SET TRANSACTION
XPPT={YES\|name\|NO}	Programs
XPSB={YES\|name\|NO}	DL/I program specification blocks (PSBs)
XRES={YES\|name\|NO}	CICS resources subject to XRES security checks. For a list of resources subject to XRES security checks, see Security using the XRES resource security parameter.
XTRAN={YES\|name\|NO}	Attached transactions
XTST={YES\|name\|NO}	Temporary storage queues
XUSER={YES\|NO}	Surrogate user checking Db2 AUTHTYPE checking

Note:

The parameters are effective only with SEC=YES.
None of the parameters can be entered as a console override.

If you specify YES for any of the Xname system initialization parameters where RACF is used to manage resource security, CICS uses the default class name for that parameter. See RACF classes for CICS resources for a list of these.

As an example, the effect of specifying SEC=YES with three of the resource class parameters specified as Xname=YES is illustrated in the following table.

Table 2. Specifying external security with default resource classes
System initialization parameter	Effect
SEC=YES	CICS initializes the external security interface.
XTRAN=YES	CICS uses the TCICSTRN and GCICSTRN resource class profiles for transaction-attach security checking.
XFCT=YES	CICS uses the FCICSFCT and HCICSFCT resource class profiles for file access security checking.
XPSB=YES	CICS uses the PCICSPSB and QCICSPSB resource class profiles for PSB access security checking.

As a second example, the effect of specifying SEC=YES with the same three associated resource class parameters specified as Xname=username is shown in Table 3.

Table 3. Specifying external security for user-defined resource classes
System initialization parameter	Effect
SEC=YES	CICS uses full RACF security support.
XTRAN=$usrtrn	CICS uses the T$usrtrn and G$usrtrn user-defined resource class profiles for transaction-attach security checking.
XFCT=$usrfct	CICS uses the F$usrfct and H$usrfct user-defined resource class profiles for file access security checking.
XPSB=$usrpsb	CICS uses the P$usrpsb and Q$usrpsb user-defined resource class profiles for PSB access security checking.

When CICS is being initialized, it requests RACF to bring resource profiles into main storage to match all the resource classes that you specify on system initialization parameters. Note that (except for XAPPC and XDB2) Xname=YES is the default in the system initialization parameters, and CICS will use the default classnames, for example, GCICSTRN. Supply RACF profiles for all those resources for which you do not specify Xname=NO explicitly. If CICS requests RACF to load a general resource class that does not exist or is not correctly defined, CICS issues a message indicating that external security initialization has failed, and terminates CICS initialization.

The system initialization parameter XHFS is an exception to this process. Access controls for z/OS UNIX files are not managed directly by RACF, so they do not require individual RACF profiles, even if XHFS=YES is specified. Access controls for z/OS UNIX files are specified in z/OS UNIX System Services, which makes use of RACF to manage user IDs and groups, but keeps control of the permissions set for the files. If you are using access control lists (ACLs) for z/OS UNIX files, the RACF class FSSEC must be active.

For guidance on the syntax of external security system initialization parameters, see System initialization parameter descriptions and summary.

The way you define the individual transaction definitions in the CSD determines whether you want to use RACF security for the resources and commands used with transactions. See Verifying CICS users and Transaction security for information about specifying resource and command security for transactions.