Use the XCMD system initialization parameter to specify whether you want command security active in the CICS region, and, optionally, to specify the RACF® resource class name in which you have defined the command security profiles.
If you are using the IBM®-supplied RACF resource class names for CICS command profiles (CCICSCMD and VCICSCMD), specify XCMD=YES. CICS then requests RACF to build the in-storage profiles from these default resource classes.
If you are using installation-defined resource class names for CICS command profiles, specify XCMD=user_class, and CICS requests RACF to build the in-storage profiles from your own installation-defined resource classes.
If you do not want command security in a CICS region, specify XCMD=NO.
You can force the effect of CMDSEC=YES for all CICS transactions by specifying the CMDSEC=ALWAYS system initialization parameter. The CMDSEC option is recommended for installations that need total control of the system programming commands.
For each of these commands issued in a user application or by the CICS-supplied transactions CEMT and CECI, CICS calls RACF to check that the terminal operator who initiated the transaction has authority to use the command for the specified resource.