When CICS® receives
a function-shipped request, the transaction that is invoked is the mirror
transaction. The CICS-supplied
definitions of the mirror transactions all specify resource security checking,
but not command security checking. This means that you are prevented from
accessing the remote resources if either the link or your user profile on
the other system does not have the necessary authority.
If the CICS-supplied definitions of the mirror transactions are not what
your security strategy needs, you can change them by copying the definitions
in group DFHISC into your own group, changing them, and then reinstalling
them. For more information, see Category 2 transactions.
If you include a remote resource in your resource definitions, you can
arrange for security checking to be done locally, just as if the resource
were a local one. Also, the system that owns the resource can be made to apply
an independent check, if it is able to receive the user identifier. You can
therefore choose to apply security restrictions on both sides, on either side,
or not at all.
Note: If you specify the SYSID option on a function-shipped request, security
checking is done in the remote system but is
bypassed in the local system.
Figure 1 summarizes what happens.
Figure 1. Security checking done with and without
SYSID.
This example illustrates what security checking is
done when a transaction in an application-owning region issues a file control
request against a remote file.
- In the application-owning region (AOR), file RFILE is defined as remote,
with a name of LFILE in the file-owning region (FOR). Resource security checking
is active for the transaction that issues the file control request.
- In the FOR, resource security checking is active for the mirror transaction.
There are two cases. In the first case:
- The transaction in the AOR issues EXEC CICS READ FILE('RFILE'). Resource
security checking is performed for file RFILE.
- The request is transmitted to the FOR, where resource security checking
is performed for file LFILE.
In the second case:
- The transaction in the AOR issues EXEC CICS READ FILE('RFILE') specifying
the SYSID option. Resource security checking is not performed for
file RFILE.
- The request is transmitted to the FOR, where resource security checking
is performed for file LFILE.
For programming information on specifying the SYSID option, see the
CICS Application
Programming Reference manual.