Function shipping security with LU6.2

When CICS® receives a function-shipped request, the transaction that is invoked is the mirror transaction. The CICS-supplied definitions of the mirror transactions all specify resource, but not command, security checking. This means that you are prevented from accessing the remote resources if either the link or your userid profile on the other system does not have the necessary authority.

If the CICS-supplied definitions of the mirror transactions are not what your security strategy needs, you can change them by copying the definitions in group DFHISC into your own group, changing them and then reinstalling them. For more information, see Category 2 transactions.

If you include a remote resource in your resource definitions, you can arrange for security checking to be done locally, just as if the resource were a local one. Also, the system that owns the resource can be made to apply an independent check, if it is able to receive the user identifier. You can therefore choose to apply security restrictions on both sides, on either side, or not at all.

Note: Be aware that if you specify the SYSID option on a function-shipped request, security checking is done in the remote system but is bypassed in the local system. Figure 1 summarizes what happens.
Figure 1. Security checking done with and without SYSID. This example illustrates what security checking is done when a transaction in an application-owning region issues a file control request against a remote file.
  • In the application-owning region (AOR), file RFILE is defined as remote, with a name of LFILE in the file-owning region (FOR). Resource security checking is active for the transaction that issues the file control request.
  • In the FOR, resource security checking is active for the mirror transaction.
There are two cases. In the first case:
  1. The transaction in the AOR issues EXEC CICS READ FILE('RFILE'). Resource security checking is performed for file RFILE.
  2. The request is transmitted to the FOR, where resource security checking is performed for file LFILE.
In the second case:

The transaction in the AOR issues EXEC CICS READ FILE('RFILE') specifying the SYSID option. Resource security checking is not performed for file RFILE.

The request is transmitted to the FOR, where resource security checking is performed for file LFILE.

This figure illustrates what resource security checking is performed on file control requests for remote files.