After the bind-security check, and when file security is in force in the FOR, the FOR checks whether the AOR is authorized to“sign on” to the FOR. This security check is optional, and applies only when the userid of the AOR is different from that of the FOR. It is the equivalent of ATTACHSEC(LOCAL) in an MRO environment (see User security with MRO). The AOR also requires READ authorization to the file it is trying to access in the FOR.
For example, define the APPL profile for an FOR with APPLID CICSHF01, and the PERMIT command to enable the AORs with user IDs CICSAOR1 and CICSAOR2 to sign on to CICSHF01, as follows:
RDEFINE APPL CICSHF01 UACC(NONE) NOTIFY(sys_admin_userid)
PERMIT CICSHF01 CLASS(APPL) ID(CICSAOR1 CICSAOR2) ACCESS(READ)
For information about authorizing access to files, see Security for files.
Cases when SAF neither grants nor refuses the request are resolved in the same way as for server LOGON (see If SAF neither grants nor refuses an access request).
If the userid is allowed to sign on to the FOR's application, the CONNECT request succeeds unless the AOR's userid is not allowed to read the specified file. Otherwise, the CONNECT request is treated in the same way as when the AOR's userid is undefined.
When file security is in force in an FOR, and the userid of the AOR is undefined, a CONNECT request fails unless the FOR's default userid (specified by the DFLTUSER system initialization parameter) is allowed to read the specified file.
Function shipping detects that an AOR's access to a file has been revoked when a rebuild of the file control resource class is completed in the FOR. However, if a valid connection already exists, SDT continues to allow access until something causes the connection to be broken. See Refreshing resource profiles in main storage.
Caution: If you use ISC instead of MRO for function shipping, ensure that the value of the SECURITYNAME parameter in the FOR is the same as the userid of the AOR. Otherwise, the SDT CONNECT and function shipping security checks will be inconsistent.