RACF classes for protecting system resources
CICS® uses many system resources, and these must be protected against unauthorized access. This protection is provided by profiles in several general resource classes.
- APPCLU
- Verifies the identity of APPC partner logical units (LU type 6.2) during z/OS® Communications Server session establishment. For more information, see Defining profiles in the APPCLU general resource class.
- APPL
- Controls terminal users' access to z/OS Communications Server applications, including CICS. For more information, see Authorizing access to the CICS region.
- CONSOLE
- Controls user access to consoles. For more information, see Console profiles.
- DIGTCERT
- Contains digital certificates, and related information. For more information, see Creating new RACF certificates.
- FACILITY
- The FACILTY general resource class is used to protect several different system resources. These are described in Resources protected by the FACILITY general resource class.
- FIELD
- Controls access to fields in RACF profiles. For more information, see Controlling access to fields in RACF profiles.
- IDIDMAP
- The IDIDMAP resource profile contains the distributed identity filter. RACF uses the term distributed identity filter to describe a mapping association between a RACF user ID and one or more distributed identities. For more information, see Configuring RACF for identity propagation.
- JESSPOOL
- Protects JES spool data sets. For more information, see JES spool protection in a CICS environment.
- LOGSTRM
- Controls access to the MVS logstreams that CICS uses for its system logs and general logs. For more information, see Authorizing access to MVS log streams.
- OPERCMDS
-
- Controls which console users are allowed to issue MODIFY commands directed to particular CICS regions. For more information, see Using an MVS system console as a CICS terminal.
- Controls which operator commands CICS can issue; for example, commands in the command list table (CLT), and MODIFY network commands.
- PROGRAM
- Controls which users can start CICS. For more information, see Protecting CICS load libraries.
- PROPCNTL
- Prevents the CICS region user ID being propagated to jobs that are submitted from CICS to the JES internal reader, and that do not specify the USER operand. For more information, see Controlling userid propagation.
- PTKTDATA
- Contains the encryption keys used for generating and validating PassTickets. For more information, see PassTickets for sign-on security.
- STARTED
- Contains profiles that provide the user IDs for MVS started jobs. For more information, see Using STARTED profiles for started jobs.
- SUBSYSNM
- Authorizes subsystems (such as instances of CICS) to open a VSAM ACB and use VSAM Record Level Sharing (RLS) functions. For more information, see Authorizing access to SMSVSAM servers.
- SURROGAT
- Specifies which user IDs can act as surrogates for other user IDs. For more information, see Surrogate user security.
- TERMINAL
- Controls the ability of users to sign on at individual terminals. The corresponding resource group class is GTERMINL. For more information, see Terminal profiles.
- VTAMAPPL
- Controls the ability of users to
open an SNA ACB. For more information, see Controlling the opening of a CICS region's z/OS Communications Server ACB.Note: VTAM® is now z/OS Communications Server (for SNA or IP)