Security for files

CICS® application programs process files, which, to CICS, are logical views of physical VSAM or BDAM data sets. You identify a file to CICS by an 8-character file name, and you can define many files to CICS that refer to the same physical data set, which is separately identified by a 44-character data set name (DSNAME). For example, you can define file resource definitions called FILEA, FILEB, and FILEC, all of which refer to one physical VSAM data set, but with each file definition specifying different attributes.

CICS transactions access the data in physical data sets using the CICS file control name. Therefore, you control access to CICS-managed files by defining profiles in the RACF® general resource classes for CICS files, not in the RACF data set class. You define the profiles using the CICS 8-character file name to identify the resource. (RACF data set authorization based on the 44-character data set name is used only during OPEN processing, to determine whether the CICS region userid is authorized to access the data set for which the OPEN has been requested. This does not depend on the userid running the transaction that caused the OPEN to be performed.)

To implement security for files managed by CICS file control:
  1. Specify RESSEC(YES) in the CSD resource definition of the transactions that access the files.
  2. Define profiles to RACF in the FCICSFCT or HCICSFCT resource classes (or their equivalent if you have user-defined resource class names), using the CICS file names to identify the profiles. For example, use the following commands to define files in the FCICSFCT class, and authorize users to read from or write to the files:
    RDEFINE  FCICSFCT  (file1, file2, .., filen) UACC(NONE)
                      NOTIFY(sys_admin_userid)
    PERMIT file1 CLASS(FCICSFCT) ID(group1, group2) ACCESS(UPDATE)
    PERMIT file2 CLASS(FCICSFCT) ID(group1, group2) ACCESS(READ)
    To define files as members of a profile in the CICS file resource group class, with an appropriate access list, use the following commands:
    RDEFINE  HCICSFCT  (file_groupname) UACC(NONE)
                       ADDMEM(filea, fileb, .., filez) NOTIFY(sys_admin_userid)
    PERMIT file_groupname CLASS(HCICSFCT) ID(group_userid) ACCESS(UPDATE)
  3. Start of changeSpecify SEC=YES as a CICS system initialization parameter (and SECPRFX if you define profiles with a prefix).End of change
  4. Specify XFCT=YES for the default resource class names of FCICSFCT and HCICSFCT (or XFCT=class_name for user-defined resource class names).

Note that RDO transactions do not use file commands to access the CSD, and are not, therefore, subject to these mechanisms.