You can restrict access by terminal users to specific CICS® regions by
defining CICS APPLID profiles in the RACF® APPL class. For this purpose, the APPLID
of a CICS region is:
- The VTAM® generic resources name if GRNAME is specified as a system initialization parameter
- The XRF generic APPLID if XRF=YES is specified as a system initialization parameter
- The generic APPLID if one is specified on the APPLID system initialization parameter
- The specific APPLID if only one is specified on the system initialization parameter
If you define a profile in the APPL class for a CICS APPLID, or a generic
profile that applies to one or more CICS APPLIDs with UACC(NONE), all terminal
users trying to sign on to a CICS region must have explicit access to the
profile that applies to that region's APPLID, either as an individual
profile, or as a member of a group. For example:
RDEFINE APPL cics_region_applid UACC(NONE) NOTIFY(sys_admin_userid)
You need to define only one APPL profile name in the RACF database for
all the CICS regions that are members of the same VTAM generic resources name.
All sign-on verifications in a CICSplex, where all the terminal-owning regions have the same
VTAM generic resources name, are made against the same APPL profile.
For MRO only, the APPLID is propagated from the terminal-owning region
(TOR) to the other regions that the user accesses — for example, from
the TOR to the application-owning region (AOR), and from the AOR to the file-owning
region (FOR). As a consequence:
- You do not need to include users of the AOR and FOR in the APPL profiles
for those regions.
- You can force users to sign on through a TOR, by denying access to other
APPLIDs
Use the RACF PERMIT command to add authorized users to the access list
of CICS APPL profiles. For example:
PERMIT cics_region_applid CLASS(APPL) ID(group1,...,groupn) ACCESS(READ)
permits all users defined in the listed groups to sign on to
cics_region_applid.
The APPL class must be active for this protection to be in effect:
SETROPTS CLASSACT(APPL)
Also, for performance reasons, consider activating profiles in the APPL
class using RACLIST.
If the APPL class is already active, refresh the in-storage APPL profiles
with the SETROPTS command:
SETROPTS RACLIST(APPL) REFRESH
Note: - CICS always passes the APPLID to RACF when requesting RACF to perform
user sign-on checks, and there is no mechanism within CICS to prevent this.
- RACF treats undefined CICS APPLIDs as UACC(READ).
- If the APPL class is active, and a profile exists for a CICS region in
the APPL class, ensure that authorized remote CICS regions can sign on to a CICS region protected in this
way.
See the z/OS Security Server RACF Security Administrator's Guide for more information about controlling access
to applications.