Defining the CICSPlex SM transactions in a MAS

For MASs capable of running with an external security manager, it may be necessary to define the CICSPlex® SM transactions which run in the MAS to the ESM.

If transaction–attach security is active in a MAS (that is, SEC=YES and XTRAN=YES∨classname are specified in the system initialization parameters), you must define to RACF® the following transactions in the appropriate class:
  • COHT
  • COIE
  • COIR
  • COI0
  • Start of changeCONAEnd of change
  • COND
  • CONH
  • CONL
  • CONM
  • CORT
  • COWC

The region userid, and any userid that may be specified on the PLTPIUSR system initialization parameter, should be given READ access to these transactions.

For CICS®/MVS™, CICS/ESA, and CICS TS for OS/390®, users who may initiate the MAS agent code using transaction COLM (for a local MAS) should also be given access to these transactions. If your CICS system performs surrogate user checks (that is, the XUSER system initialization parameter has a value of YES), then the CICS region userid should be a surrogate of the user of the COLM transaction.

Users who may enter dynamic transactions in a CICSPlex SM workload management requesting region must have READ access to the COWC transaction.

For CICS/MVS, CICS/ESA, and CICS TS for OS/390, users who may invoke the CICSPlex SM debugging transactions should be given READ access to the following transactions:

CODB
COD0
COD1
COD2
COLU

The security attributes of the CONNECTION/SESSION pair defined for the link to the CMAS define which users are authorized to run these transactions. See Overview of intercommunication security for information on intercommunication security.

The COSH transaction allows a terminal user to stop MAS agent code execution. Access to this transaction should be restricted to those users who may need to stop the MAS in this way.