Security checking

CICS® uses an external security manager, such as RACF®, to perform security checking.

Five types of security checks govern whether a particular SPI command is executed:
  • Transaction
  • Command
  • Surrogate
  • Resource
  • Authtype (Db2® objects only)

CICS performs these checks only if the SEC system initialization parameter has a value of YES.

The transaction check occurs first, at task attach time, when CICS ensures that the user initiating the task has authority to use the transaction that is to be executed. This check is governed by the XTRAN system initialization parameter as well as SEC; it is skipped if the XTRAN value is NO. The remaining checks occur as necessary when commands are issued.

Command checking verifies that the user is authorized to use SPI commands. It is governed by the XCMD and CMDSEC system initialization parameters, and the CMDSEC option in the definition of the TRANSACTION being executed, and occurs if the XCMD value is not NO and either the CMDSEC option in the TRANSACTION is YES or the CMDSEC system initialization parameter is ALWAYS. If the user is not authorized, CICS rejects the command with a RESP value of NOTAUTH and a RESP2 value of 100.

If the command associates a user ID with a resource, a surrogate check may follow the command check. This check ensures that the user ID of the task issuing the command has authority to act as a surrogate for the user ID named in the command. It occurs only if the XUSER system initialization parameter is YES, and applies only to these command-option combinations:
  • SET TDQUEUE with ATIUSERID
  • SET DB2CONN with AUTHID or COMAUTHID
  • SET DB2ENTRY with AUTHID
  • SET DB2TRAN that references a DB2ENTRY containing AUTHID
  • CREATE CONNECTION with SECURITYNAME
  • CREATE DB2CONN with AUTHID or COMAUTHID
  • CREATE DB2ENTRY with AUTHID
  • CREATE DB2TRAN that references a DB2ENTRY containing AUTHID
  • CREATE SESSIONS with USERID
  • CREATE TDQUEUE with USERID
  • CREATE TERMINAL with USERID
  • CREATE BUNDLE installing an EPADAPTER that contains a USERID

CICS returns a RESP2 value of 102 if the check fails. (Additional checks on the assigned user occur on SET TDQUEUE ATIUSERID, as detailed in the description of that command.)

The resource check verifies that the user ID has authority to use the resource in the way required by the command. Resource checking is controlled by the RESSEC option in the TRANSACTION being executed, the RESSEC system initialization parameter, and a system initialization parameter specific to the resource type:
  • XDCT for transient data queues
  • XFCT for files
  • XJCT for journals
  • XPCT for transactions
  • XPPT for programs, map sets, partition sets, and exits
  • XRES for the following CICS resources:
    • ATOMSERVICE
    • BUNDLE
    • BUNDLEPART
    • DOCTEMPLATE
    • EPADAPTER
    • EPADAPTERSET
    • EVENTBINDING
    • JVMSERVER,
    • XMLTRANSFORM
  • XTST for temporary storage queues
  • XDB2 for Db2 entries and transactions
See Security using the XRES resource security parameterfor more information about XRES.

Resource checking occurs only if the applicable resource-type system initialization system initialization parameter has a value other than NO and either the RESSEC option in the TRANSACTION is YES or the RESSEC system initialization parameter is ALWAYS. For commands other than INQUIRE NEXT, CICS rejects the command with the NOTAUTH condition and a RESP2 value of 101 if a resource check fails. During a browse, however, CICS skips resources that would fail the resource check on an ordinary INQUIRE (see Rules for browsing for details).

When you give a user authority to perform an action on a platform or application, you also give them authority to perform the same action on the dynamically generated resources for the platform or application. CICS command and resource security checks are not carried out when you create or operate on CICS bundles through an application or platform. However, CICS command and resource security checks do apply when you use SPI commands to perform an action directly on an individual BUNDLE resource, or a dynamically generated resource that was defined in a CICS bundle, even if the bundle was created when you installed a platform or application. For more information, see Security for bundles.

The resources that can be protected by resource checking, and the SPI commands that require access authority, are shown in the table that follows. The letter in parentheses after the command indicates whether the user needs read (R), update (U), or alter (A) authority to the resource.

Resource (system initialization parameter) Commands
Exits (XPPT option)
DISABLE PROGRAM (U)
ENABLE PROGRAM (U)
EXTRACT EXIT (R)
INQUIRE EXITPROGRAM (R)
Files (XFCT option)
COLLECT STATISTICS FILE (R)
CREATE FILE (A)
DISCARD FILE (A)
INQUIRE FILE (R)
SET FILE (U)
Journals (XJCT option)
COLLECT STATISTICS JOURNALNAME (R)
COLLECT STATISTICS JOURNALNUM (R)
DISCARD JOURNALNAME (A)
INQUIRE JOURNALNAME (R)
SET JOURNALNAME (U)
Programs Map sets Partition sets (XPPT option)
COLLECT STATISTICS PROGRAM (R)
CREATE MAPSET (A)
CREATE PARTITIONSET (A)
CREATE PROGRAM (A)
DISCARD PROGRAM (A)
INQUIRE PROGRAM (R)
SET PROGRAM (U)
Temporary storage queues (XTST option)
INQUIRE TSQUEUE (R)
INQUIRE TSQNAME (R)
Transactions (XPCT option)
COLLECT STATISTICS TRANSACTION (R)
CREATE TRANSACTION (A)
DISCARD TRANSACTION (A)
INQUIRE TRANSACTION (R)
INQUIRE REQID TRANSID (R)
SET TRANSACTION (U)
Transaction classes (XPCT option)
COLLECT STATISTICS TCLASS (R)
COLLECT STATISTICS TRANCLASS (R)
CREATE TRANCLASS (A)
DISCARD TRANCLASS (A)
INQUIRE TCLASS (R)
INQUIRE TRANCLASS (R)
SET TCLASS (U)
SET TRANCLASS (U)
Transient data queues (XDCT option)
COLLECT STATISTICS TDQUEUE (R)
CREATE TDQUEUE (A)
DISCARD TDQUEUE (A)
INQUIRE TDQUEUE (R)
SET TDQUEUE (U)
DB2ENTRYs (XDB2 option)
CREATE DB2ENTRY (A)
CREATE DB2TRAN (A)
INQUIRE DB2ENTRY (R)
INQUIRE DB2TRAN (R)
SET DB2ENTRY (U)
SET DB2TRAN (U)
DB2TRANs (XDB2 option)
CREATE DB2ENTRY (A)
CREATE DB2TRAN (A)
INQUIRE DB2ENTRY (R)
INQUIRE DB2TRAN (R)
SET DB2ENTRY (U)
SET DB2TRAN (U)
CICS resources that are subject to XRES security checks (XRES option)
CREATE ATOMSERVICE (A)
CREATE BUNDLE (A)
CREATE DOCTEMPLATE (A)
CREATE JVMSERVER (A)
DISCARD ATOMSERVICE (A)
DISCARD BUNDLE  (A)
DISCARD DOCTEMPLATE (A)
DISCARD JVMSERVER (A)
DOCUMENT CREATE (R)
DOCUMENT INSERT (R)
INQUIRE ATOMSERVICE (R)
INQUIRE BUNDLE (R)
INQUIRE BUNDLEPART (R)
INQUIRE CAPTURESPEC (R)
INQUIRE DOCTEMPLATE (R)
INQUIRE EPADAPTER (R)
INQUIRE EPADAPTERSET (R)
INQUIRE EVENTBINDING (R)
INQUIRE EVENTPROCESS (R)
INQUIRE JVMSERVER (R)
INQUIRE MQINI (R)
INQUIRE XMLTRANSFORM (R)
SET ATOMSERVICE (U)
SET BUNDLE (U)
SET DOCTEMPLATE (U)
SET EPADAPTER (U)
SET EPADAPTERSET (U)
SET EVENTBINDING (U)
SET EVENTPROCESS (U)
SET JVMSERVER (U)
SET XMLTRANSFORM (U)

Authtype checking applies to DB2CONNs, DB2ENTRYs, and DB2TRANs only. For more information, see Overview of the CICS Db2 interface.

The QUERY SECURITY command

You can find out whether you are authorized to access a resource or to issue a system programming command by issuing the QUERY SECURITY command. This is not an SPI command and does not access any resources, and so never raises a NOTAUTH condition. It is described in QUERY SECURITY.