Authorizing access to an SMSVSAM server
If you plan to run CICS® with VSAM record-level sharing (RLS), you must authorize each region that connects to an SMSVSAM server to have access to that server.
In a test environment you might want to use the default action and allow any CICS region using VSAM RLS to connect to an SMSVSAM server. If you want to protect this access, the RACF® SUBSYSNM general resource class must be active and you must authorize each CICS region that connects to an SMSVSAM server to have access to that server. This means granting access to the appropriate profile in the RACF SUBSYSNM general resource class. You define profiles in the SUBSYSNM resource class to control access by subsystems like CICS that want to connect to SMSVSAM.
A SUBSYSNM profile name is the name by which a given subsystem, such as CICS, is known to VSAM. For CICS regions, you must use the CICS applid as the profile name in the SUBSYSNM general resource class.
When CICS attempts to register the control ACB during CICS initialization, SMSVSAM calls RACF to check that the CICS region user ID is authorized to a profile name in the SUBSYSNM class that matches the CICS applid. If the CICS region user ID does not have READ authority, the register fails.
RDEFINE SUBSYSNM CICSDAA1 UACC(NONE) NOTIFY(userid)
PERMIT CICSDAA1 CLASS(SUBSYSNM) ID(CICSDA##) ACCESS(READ)
PERMIT CICSD%%% CLASS(SUBSYSNM) ID(CICSDGRP) ACCESS(READ)