CICS provides a number of facilities that help you keep your resource definitions secure from unauthorized use.
Resource security checking ensures that terminal operators can access only those resources for which they have been authorized. You can use resource security checking (RESSEC) for the TRANSACTION definition.
You can have different CSD files for different CICS® systems. The users of one CICS do not have access to the CSD file for another CICS.
You could have a test CSD file in a system where the RDO transactions can be used, and a production CSD file in a system where the RDO transactions are not available. There would then be no chance of unauthorized users altering resource definitions needed for production work.
CSDACC=READONLY
and,
for the system where you are planning to update the CSD, you specify: CSDACC=READWRITE
You need READONLY access to install definitions. This also allows you to use the DISPLAY and VIEW commands. You need READWRITE access to use the ADD, APPEND, ALTER, COPY, MOVE, and RENAME commands. For information on defining the CSD file, see the CICS Operations and Utilities Guide:.
RDO also provides a means of controlling access to any group or list, so that users in the same system can have different types of access. This is done with the LOCK command (see The CEDA LOCK command).
The LOCK and UNLOCK commands enable you to control update access to a group or list so that only operators with the same operator identifier can make changes.
The lock is held on the CSD file and remains in effect across restarts of CICS. The lock is owned by the user, who is identified by a combination of the CICS generic applid (specified by the APPLID system initialization parameter), and the user's operator identifier (OPIDENT).
The OPIDENT is the one associated with the user when he or she signs on to the terminal used for RDO. For further information on OPIDENT, see the CICS RACF® Security Guide.
The lock can be removed, using the UNLOCK command, only by a user on the same system and with the same operator identifier.
It would be wise to put a lock on your group of TYPETERMs and on your group of AUTINSTMODEL TERMINALs.