USRDELAY

The USRDELAY system initialization parameter specifies the maximum time, in the range 0 - 10080 minutes (up to seven days), that an eligible user ID and its associated attributes are to be retained in the CICS region after use. A user ID that is retained in the user table can be reused.

USRDELAY={30|number}
For a user ID to be retained in the CICS region and eligible for reuse in the USRDELAY period, one of the following statements must apply to the user ID:
  • The user ID was received from remote systems.
  • The user ID was specified on the SECURITYNAME attribute in the CONNECTION resource.
  • The user ID was specified on the USERID attribute in the SESSIONS resource.
  • The user ID was specified on the USERID attribute in the definition of an intrapartition transient data queue.
  • The user ID was specified on the USERID option on a START command.
  • The user ID was specified on the USERID attribute for a non-terminal task, such as the alias tasks that are attached for processing HTTP requests.

Within the USRDELAY period, a user ID in any one of these categories can be reused in one of the other categories, provided that the request for reuse has the same qualifiers. If a user ID is qualified by a different group ID, APPLID, or terminal ID, a retained entry is not reused, except when changing the terminal ID on LU6.2 when the retained entry is used.

If a user ID is unused for more than the USRDELAY limit, it is removed from the system, and the message DFHUS0200 is issued. You can suppress this message in an XMEOUT global user exit program.

If you specify USRDELAY=0, all eligible user IDs are deleted immediately after use and cannot be reused. With USRDELAY=0 set, the message DFHUS0200 is not issued.

When you specify USRDELAY=0, CICS drives a full sign-on for each incoming request (with I/O to the external security manager) and a full sign-off at the end of each transaction. This setting provides the highest level of security, but in some scenarios performance might be a higher priority. For example, if the CICS region communicates with other CICS regions and the connections carry high volumes of transaction routing or function shipping activity, multiple instances of sign-on and sign-off might be required for a single task. Select a USRDELAY value that gives the optimum balance of performance and security for the type of work carried out in each CICS region.

When SECVFYFREQ=USRDELAY is set, CICS makes a full verification request for a user ID when the user logs on after the USRDELAY interval has expired. CICS also applies a maximum limit of one day between full verification requests at user login.

When a value other than 0 is specified for USRDELAY, the ability to change the attributes of the user or revoke the user ID becomes more difficult because the user ID and its attributes are retained in the region until the USRDELAY value has expired. For example, if you have specified USRDELAY=30 for a user ID, but that user ID continues to run transactions every 25 minutes, the USRDELAY value never expires and any changes made to the user ID never come into effect.

If you previously specified low values for the USRDELAY system initialization parameter in your CICS regions to ensure that CICS detected changes to RACF profiles quickly, you might want to increase this value, because CICS is notified immediately if RACF® profile changes occur. The primary impact of a high USRDELAY value is that the amount of storage used for RACF control blocks is increased.

For more information on the effects of setting SECVFYFREQ=USRDELAY, you can refer to a formatted CICS® system dump. In the formatted system dump for the US component, the USER DOMAIN SUMMARY contains the following counts:
  • VRFY PASSWORD num: the total number of verify requests processed by User Domain
  • SECVFYFREQ ADDs: the number of verify requests, when SECVFYFREQ=USRDELAY, that add a user ID to the system. If a user ID is unused for more than the USRDELAY limit, it is removed from the system and a subsequent verify request leads to another add request.
  • SECVFYFREQ AUTHs: the number of verify requests, when SECVFYFREQ=USRDELAY, that made RACF record the date and time of last access for the user ID, and write user statistics. This occurs when the user logs on after the USRDELAY interval has expired. CICS also applies a maximum limit of one day between full verification requests at user login.
In the formatted system dump for the XS component, the SECURITY DOMAIN SUMMARY contains the following counts:
  • Inquire password count: the total number of inquire password requests processed by Security Domain.
  • Inquire password fastpath count: the total number of inquire password requests that used the fastpath mechanism.

A difference between the Inquire password count and the Inquire password fastpath count indicates full verification requests were required. This may be because attempts at password verification have failed, a passticket was used, or because SECVFYFREQ=USRDELAY.

Note: All the counts described begin when CICS is initialized and are not reset while the region is running.