A CICS® transaction initiated by a terminal user can start other transactions
by means of an EXEC CICS START command. Transactions started in this way are
known as started transactions, and you can use CICS RACF® security to control who can start other transactions using the START
command.
Started transactions are defined in the ACICSPCT and BCICSPCT resource
class profiles. These profiles also control access to transactions specified
in certain other EXEC CICS commands, if the transaction issuing the command
is defined with RESSEC(YES). The commands affected are:
- COLLECT STATISTICS TRANSACTION
- DISCARD TRANSACTION
- INQUIRE TRANSACTION
- SET TRANSACTION
- INQUIRE REQID
- CANCEL
When a transaction issues an EXEC CICS START TRANSID(tranid) command, CICS calls RACF to check that the user of the transaction
issuing the command is authorized for the started transaction.
To implement security for started transactions and for transactions checked
against the XPCT class:
- Specify RESSEC(YES) in the CSD resource definition of the transactions
that issue START commands.
- Define profiles to RACF in the ACICSPCT or BCICSPCT resource classes (or their equivalent if you have user-defined
resource class names) using the name of the started transaction to identify
the profiles.
For example, use the following commands to define a transaction
in the ACICSPCT class, and to authorize one user only:
RDEFINE ACICSPCT (tran1, tran2, ..., trann) UACC(NONE)
NOTIFY(sys_admin_userid)
PERMIT tran1 CLASS(ACICSPCT) ID(userid) ACCESS(READ)
PERMIT tran2 CLASS(ACICSPCT) ID(userid) ACCESS(READ)
To define
started transactions as members of a profile in the started transaction resource
group class, with an appropriate access list, use the following commands:
RDEFINE BCICSPCT started_trans UACC(NONE)
ADDMEM(trana, tranb, ..., tranx)
NOTIFY(sys_admin_userid)
PERMIT started_trans CLASS(BCICSPCT) ID(group_userid) ACCESS(READ)
Specify SEC=YES as a CICS system initialization parameter (and
SECPRFX if you define profiles with a prefix).
- Specify XPCT=YES for the default resource class names of ACICSPCT and
BCICSPCT (or XPCT=class_name for user-defined resource class names).