Category 2 transactions

Category 2 transactions either are initiated by the terminal user, or are associated with a terminal. Restrict authorizations to initiate these transactions to userids belonging to specific RACF® groups.

For the CICS® resource definitions, the IBM®-supplied transactions are defined with the recommended RESSEC and CMDSEC options. In particular, CECI, CEDF, CEMT, CEST, and CIRP are all supplied with RESSEC(YES) and CMDSEC(YES). The mirror transactions are defined with RESSEC(YES). If you need to change any of these definitions, you can do so by copying them to another group. You are not recommended to change the supplied definitions of any other transactions.

For most category 2 transactions, you are recommended to specify the following to RACF:
It is unlikely that you will want to give all users access to all of the transactions in this category; consider defining them in several subcategories. In the examples that follow, the category 2 transactions are further subdivided into a number of groups. Please note that these are only examples. You can choose to group CICS transactions in the ways that best suit your installation's needs.

The sample CLIST DFH$CAT2 (in library CICSTS31.CICS.SDFHSAMP) can help you define the category 2 profiles to RACF. If you want to use this example setup, review this CLIST and make the changes necessary for your installation before running it. If you want to use a different setup, you can adapt this CLIST, or provide your own.

Figure 1 shows how to use RDEFINE and PERMIT commands to define the example groups for category 2 transactions.

Figure 1. Example of defining groups for category 2 transactions
RDEFINE GCICSTRN SYSADM UACC(NONE)
         Start of changeADDMEM(CCRL,CDBC,CEMT,CETR,CEDA,CIND,CESD,CREA)End of change
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT   SYSADM  CLASS(GCICSTRN) ID(sysgrp1,..,sysgrpz) ACCESS(READ)
RDEFINE GCICSTRN DEVELOPER UACC(NONE)
         ADDMEM(CADP,CEDF,CEBR,CECI,CECS,CEDB,CEDX)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT   DEVELOPER  CLASS(GCICSTRN) ID(devgrp1,..,devgrpz) ACCESS(READ)
RDEFINE GCICSTRN INQUIRE UACC(NONE)
         ADDMEM(CDBI,CEDC,CREC)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT   INQUIRE  CLASS(GCICSTRN) ID(inqgrp1,..,inqgrpz) ACCESS(READ)
RDEFINE GCICSTRN OPERATOR UACC(NONE)
         ADDMEM(CWTO,CRTE,CMSG,CEST,CEOT,CIDP,CSFE,DSNC,CBAM)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT   OPERATOR  CLASS(GCICSTRN) ID(opsgrp1,..,opsgrpz) ACCESS(READ)
RDEFINE GCICSTRN DBCTL UACC(NONE)
         ADDMEM(CDBC,CDBI,CDBM,CDBT)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT   DBCTL  CLASS(GCICSTRN) ID(dbctgrp1,..,dbctgrpz) ACCESS(READ)
RDEFINE GCICSTRN INTERCOM UACC(NONE)
         ADDMEM(CEHP,CEHS,CPMI,CSHR,CSMI,CSM1,CSM2,CSM3,CSM5,CVMI,CDFS,CTIN)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT   INTERCOM  CLASS(GCICSTRN) ID(intrgrp1,..,intrgrpz) ACCESS(READ)
RDEFINE GCICSTRN ALLUSER UACC(READ)
         ADDMEM(CMAC,CRTX,CSGM)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT ALLUSER CLASS (GCICSTRN) ID(allrgrp1,..,allrgrpz) ACCESS(READ)
RDEFINE GCICSTRN WEBUSER UACC(NON)
         ADDMEM(CWBA)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT WEBUSER CLASS (GCICSTRN) ID(webrgrp1,..,webgrpz) ACCESS(READ)
RDEFINE GCICSTRN RPCUSER UACC(NON)
         ADDMEM(CRPA,CRPC,CRPM)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT RPCUSER CLASS (GCICSTRN) ID(rpcrgrp1,..,rpcrgrpz) ACCESS(READ)
RDEFINE GCICSTRN IIOPUSER UACC(NONE)
         ADDMEM(CIRP)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT IIOPUSER CLASS (GCICSTRN) ID(iiopgrp1,..,iiopgrpz) ACCESS(READ)
RDEFINE GCICSTRN AFFINITIES UACC(NONE)
         ADDMEM(CAFF,CAFB)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT AFFINITIES CLASS(GCICSTRN) ID(affngrp1,..,affngrpz) ACCESS(READ)
Start of changeRDEFINE GCICSTRN PIPEUSER UACC(NONE)
         ADDMEM(CPIH,CPIL,CPIQ,CPIA)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT PIPEUSER CLASS(GCICSTRN) ID(pipeline_access_list)End of change
Note:
  1. With RESSEC(YES) and CMDSEC(YES) defined for these transactions, you must ensure that the user groups authorized to use the transactions are also authorized to access the CICS resources and commands that the transactions use.
  2. If you protect a resource with a resource group profile, you should avoid protecting the same resource with another profile. If the profiles are different (for example, if they have different access lists), RACF merges the profiles for use during authorization checking. Not only can the merging have a performance impact, but it can be difficult to determine exactly which access authority applies to a particular user. (See the z/OS Security Server RACF Security Administrator's Guide for further information.)
Table 1 lists the category 2 transactions.
Table 1. Category 2 transactions
Transaction CSD group Program invoked Description
CADP DFHDP DFHDPLU Application debugging profile manager
CIDP DFHDPIN Inactivate debugging profiles utility
CREA DFHADST DFHADDRM Request Model creation transaction
CREC DFHADDRM Request Model creation transaction
CTIN DFHCLNT DFHZCT1 CICS client CTIN transaction
CMAC DFHCMAC DFHCMAC Displays CICS messages online
CWTO DFHCONS DFHCWTO Writes to console operator
CDBC DFHDBCTL DFHDBME DBCTL interface menu transaction
CDBI DFHDBIQ DBCTL interface inquiry transaction
CDBM DFHDBMP DBCTL operator transaction
CDBT DFHDBDSC DBCTL interface disconnection transaction
DSNC DFHDB2 DFHD2CM1 DB2® attachment facility transaction
CDBT DFHDBDSC DBCTL Provides disconnection transaction
CEDF DFHEDF DFHEDFP Provides execution diagnostic facility
CEDX DFHEDFP Execution diagnostic facilty for non-terminal tasks
CEBR DFHEDFBR Browse temporary storage
CSFE DFHFE DFHFEP Tests field engineering terminal
CIRP DFHIIOP DFJIIRP IIOP request processor
CIND DFHINDT DFHINDT Provides the in-doubt test tool
CECI DFHINTER DFHECIP CICS command interpreter
CECS DFHECSP Checks CICS command syntax
CDFS DFHISC DFHDFST Dynamic starts with interval
CEHP DFHCHS Provides CICS OS/2 remote server mirror
CEHS DFHCHS Provides CICS/VM remote server mirror
CPMI DFHMIRS Provides CICS OS/2 LU6.2 mirror
CRTE DFHRTE Provides start transaction routing session
CRTX N/A Provides default dynamic routing transaction
CSHR DFHMIRS Scheduler services remote routing
CSMI DFHMIRS Provides ISC mirror transaction
CSM1 DFHMIRS Provides ISC SYSMSG model
CSM2 DFHMIRS Provides ISC scheduler model
CSM3 DFHMIRS Provides ISC queue model
CSM5 DFHMIRS Provides ISC DL/I model
CVMI DFHMIRS Provides LU6.2 synclevel 1 mirror
CMSG DFHMSWIT DFHMSP Provides message switching
CEMT DFHOPER DFHEMTP Processes master terminal command
Start of changeCBAMEnd of change Start of changeDFHECBAMEnd of change Start of changeBTS objects browserEnd of change
CEOT DFHEOTP Inquires on user's own terminal status
CEST DFHESTP Processes supervisor terminal command
CETR DFHCETRA Provides inquire and set trace options
Start of changeCCRLEnd of change Start of changeDFHSOCRLEnd of change Start of changeCICS certificate revocation list transactionEnd of change
CRPA DFHRPC DFHRPAS ONC/RPC Alias transaction
CRPC DFHRPC00 ONC/RPC Update transaction
CRPM DFHRPMS ONC/RPC Server controller
CESD DFHSDAP DFHCESD Provides shutdown assist transaction
CEDA DFHSPI DFHEDAP Provides resource definition online—full
CEDB DFHEDAP Provides resource definition online—restricted
CEDC DFHEDAP Views resource definition online
CSGM DFHVTAM DFHGMM Provides CICS good morning message
CWBA DFHWEB DFHWBA CICS web support alias transaction
Start of changeCPIHEnd of change Start of changeDFHPIPEEnd of change Start of changeDFHPIDSHEnd of change Start of changeCICS Pipeline HTTP inbound routerEnd of change
Start of changeCPILEnd of change Start of changeDFHPILSQEnd of change Start of changeSOAP MQ inbound listenerEnd of change
Start of changeCPIQEnd of change Start of changeDFHPIDSQEnd of change Start of changeSOAP MQ inbound router End of change
Start of changeCPIAEnd of change Start of changeDFHPITEEnd of change Start of changeInvokes CPIS from the terminalEnd of change