RACF classes for protecting system resources

CICS® uses many system resources, and these must be protected against unauthorized access. This protection is provided by profiles in the following general resource classes:
APPCLU
Verifies the identity of APPC partner logical units (LU type 6.2) during VTAM® session establishment. For more information, see Defining profiles in the APPCLU general resource class.
APPL
Controls terminal users' access to VTAM applications, including CICS. For more information, see Authorizing access to the CICS region.
CONSOLE
Controls user access to consoles. For more information, see Console profiles.
DIGTCERT
Contains digital certificates, and related information. For more information, see Creating new RACF certificates.
EJBROLE
Contains security roles used for enterprise bean security roles. The corresponding resource group class is GEJBROLE. For more information, see Java™ Applications in CICS.
FACILITY
The FACILTY general resource class is used to protect several different system resources. These are described in Resources protected by the FACILITY general resource class.
FIELD
Controls access to fields in RACF® profiles. For more information, see Controlling access to fields in RACF profiles.
JESSPOOL
Protects JES spool data sets. For more information, see JES spool protection in a CICS environment.
LOGSTRM
Controls access to the MVS™ logstreams that CICS uses for its system logs and general logs. For more information, see Authorizing access to MVS log streams.
OPERCMDS
  • Controls which console users are allowed to issue MODIFY commands directed to particular CICS regions. For more information, see Using an MVS system console as a CICS terminal.
  • Controls which operator commands CICS can issue; for example, commands in the command list table (CLT), and MODIFY network commands.
PROGRAM
Controls which users can start CICS. For more information, see Protecting CICS load libraries.
PROPCNTL
Prevents the CICS region userid being propagated to jobs that are submitted from CICS to the JES internal reader, and that do not specify the USER operand. For more information, see Controlling userid propagation.
PTKTDATA
Contains the encryption keys used for generating and validating PassTickets. For more information, see Generating and using RACF PassTickets.
SERVAUTH
Define profiles in the SERVAUTH general resource class to establish a trust relationship between servers when using asserted identity authentication for IIOP clients. For more information, see Authentication.
STARTED
Contains profiles that provide the userids for MVS started jobs. For more information, see Using STARTED profiles for started jobs.
SUBSYSNM
Authorizes subsystems (such as instances of CICS) to open a VSAM ACB and use VSAM Record Level Sharing (RLS) functions. For more information, see Authorizing access to SMSVSAM servers.
SURROGAT
Specifies which userids can act as surrogates for other userids. For more information, see Surrogate user security.
TERMINAL
Controls the ability of users to sign on at individual terminals. The corresponding resource group class is GTERMINL. For more information, see Preset terminal security.
VTAMAPPL
Controls the ability of users to open a VTAM ACB. For more information, see Controlling the opening of a CICS region's VTAM ACB.