You can protect DBCTL against unauthorized /LOCK and /UNLOCK commands for certain PSBs (referred to as "programs" in the IMS™ publications) and databases by establishing passwords for these PSBs and databases. The IMS security maintenance utility is used to place the definitions needed into DBCTL’s matrix data sets:
)( PROGRAM PSB11
PASSWORD PWP11
)( PROGRAM PSB12
PASSWORD PWP12
)( DATABASE DB21
PASSWORD PWD21
)( DATABASE DB22
PASSWORD PWD22
In most cases, PSB authorization checking by CICS® provides sufficient security. The fact that CICS and DBCTL run in the same MVS™ image, and that the connection parameters (in the DRA startup table) have to be in an authorized library should usually allow you enough control over the connection process, and you will not need to implement the DBCTL security checking described in Resource access security checking by DBCTL. However, these considerations do not apply if you are using BMPs with DBCTL. To provide security control for BMPs, use DBCTL resource access security checking. This is because DBCTL resources, such as PSBs, can be accessed by programs that operate in dependent regions. To MVS, these dependent regions are normal MVS jobs that anyone can initiate using the MVS job entry subsystem. This means that a user who is not authorized to access a database using a RACF-protected CICS transaction could access that database by submitting a BMP region with the correct parameters in the EXECUTE statement. (See Making DBCTL resources available for information on starting BMP JCL using a DBCTL operator command.)