CICS BAC support for CICS EXCI security

CICS® BAC uses the external CICS interface (EXCI) provided by CICS whenever it determines that a request is to be serviced by the CICS BAC request server running in a target CICS region. This happens when CICS BAC is active in the target CICS region and a request from the batch request utility, the file maintenance utility, or the ISPF administration interface is passed over an EXCI link to the target CICS region.

When CICS processes an EXCI command, the type of security checking performed depends on the ATTACHSEC value provided on the generic EXCI CONNECTION definition used by CICS BAC. If you have specified ATTACHSEC(LOCAL), the CICS region performs link security checking against requests from CICS BAC. If you have specified ATTACHSEC(IDENTIFY), the CICS region performs user security checking against the user ID provided by the CICS BAC. In each case, CICS BAC uses the user ID associated with the origin of the request as described above. Therefore, you must ensure that the user ID associated with the CICS BAC EXCI request has sufficient authority with regard to transaction and resource security definitions in the target CICS region. This ensures that the CICS BAC request server is able service the request in the target CICS region.

CICS security does not apply, of course, when CICS BAC is not active in the target CICS region, or the target CICS region is not available. In this case, the request is serviced directly against the CICS region control file by the batch request utility, or file maintenance utility, as appropriate.

CICS BAC internal security checking as described the earlier part of this chapter is always performed before an EXCI request is issued.

See the CICS External Interfaces Guide for more information regarding EXCI security and the CICS RACF Security Guide for more information about CICS transaction and resource security checking.