For each CICS® region for which you specify SEC=YES, define a RACF® user profile
whose userid matches the value of the system initialization parameter, DFLTUSER. For example, if you specify DFLTUSER=NOTSIGND,
define a RACF user profile named NOTSIGND.
If you do not specify a value for the DFLTUSER parameter, the CICS-supplied
default userid is CICSUSER—define a RACF user profile named CICSUSER.
Define a different default CICS userid for each CICS region if any of the
following considerations applies:
- The default CICS userid requires different security attributes (such as
membership in RACF groups).
- The default CICS userid requires different operator data (CICS segment
of the RACF user profile).
- The default CICS userid requires a different default language (LANGUAGE
segment of the RACF user profile).
To define a CICS default user with the system initialization parameter
default name (CICSUSER), use the ADDUSER command with the CICS operand, as
follows:
ADDUSER CICSUSER DFLTGRP(group_id) NAME(user_name)
OWNER(userid or group)
PASSWORD(password)
CICS(OPCLASS(1,2,...,n) OPIDENT(identifier) OPPRTY(priority)
TIMEOUT(timeout_value) XRFSOFF(xrf_sign-off_option))
The security administrator should always define the password for default
userids and started tasks, instead of allowing it to default.
Each CICS region should use its own default user, as an aid to debugging.
Set up a RACF default user group to keep the definitions similar.
If you have specified the system initialization parameter XUSER=YES (the default), authorize the
CICS region userid to be a surrogate user of the default userid. For example:
PERMIT CICSUSER.DFHINSTL CLASS(SURROGAT) ID(cics_region_userid)
During startup, CICS "signs on" the default userid. If the default
user sign-on fails (because, for example, the userid is not defined to RACF),
CICS issues message DFHXS1104 and terminates CICS initialization.
When CICS successfully signs on a valid RACF userid as the default user,
it establishes the terminal user data for the default user from one of the
following sources:
- The CICS segment of the default user's RACF user profile
- Built-in CICS system default values
See
Obtaining CICS-related data for a user for details of the sign-on process for obtaining
CICS terminal operator data.
CICS assigns the security attributes of the default userid to all CICS
terminals before any terminal user begins to sign on. The security attributes
and terminal user data of the default user also apply to any terminals at
which users do not sign on (using either the CICS-supplied CESN transaction
or a user-written equivalent), unless the security has been explicitly preset
by specifying a value for the USERID option in the terminal definition.
Note: 
If the default user's RACF profile specifies
a non-zero TIMEOUT, that value does
not apply to terminals
that do not sign on.

CICS also assigns the security attributes of the default userid to any “trigger
level transactions” that are initiated for transient data queues without
a USERID parameter.
Ensure the default userid gives at least the minimum authorities that ought
to be granted to any other terminal user. In particular:
- Give the default user access to the region's APPLID. See Authorizing access to the CICS region.
- Give the default user access to the CICS-supplied transactions that are
intended to be used by everybody. See the definitions in Identifying CICS terminal users,
especially those transactions that are recommended for inclusion in the ALLUSER
example group of transactions.