Security for started and XPCT-checked transactions

A CICS® transaction initiated by a terminal user can start other transactions by means of an EXEC CICS START command. Transactions started in this way are known as started transactions, and you can use CICS RACF® security to control who can start other transactions using the START command.

Started transactions are defined in the ACICSPCT and BCICSPCT resource class profiles. These profiles also control access to transactions specified in certain other EXEC CICS commands, if the transaction issuing the command is defined with RESSEC(YES). The commands affected are:

When a transaction issues an EXEC CICS START TRANSID(tranid) command, CICS calls RACF to check that the user of the transaction issuing the command is authorized for the started transaction.

To implement security for started transactions and for transactions checked against the XPCT class:
  1. Specify RESSEC(YES) in the CSD resource definition of the transactions that issue START commands.
  2. Define profiles to RACF in the ACICSPCT or BCICSPCT resource classes (or their equivalent if you have user-defined resource class names) using the name of the started transaction to identify the profiles.
    For example, use the following commands to define a transaction in the ACICSPCT class, and to authorize one user only:
    RDEFINE  ACICSPCT (tran1, tran2, ..., trann) UACC(NONE)
                      NOTIFY(sys_admin_userid)
    PERMIT  tran1 CLASS(ACICSPCT)  ID(userid) ACCESS(READ)
    PERMIT  tran2 CLASS(ACICSPCT)  ID(userid) ACCESS(READ)
    To define started transactions as members of a profile in the started transaction resource group class, with an appropriate access list, use the following commands:
    RDEFINE  BCICSPCT  started_trans  UACC(NONE)
                       ADDMEM(trana, tranb, ..., tranx)
                       NOTIFY(sys_admin_userid)
    PERMIT started_trans  CLASS(BCICSPCT) ID(group_userid) ACCESS(READ)
  3. Start of changeSpecify SEC=YES as a CICS system initialization parameter (and SECPRFX if you define profiles with a prefix).End of change
  4. Specify XPCT=YES for the default resource class names of ACICSPCT and BCICSPCT (or XPCT=class_name for user-defined resource class names).