Security checking for data tables
Shared data tables perform security checks at LOGON or CONNECT time to provide security when cross-memory services are used. You should consider the implications of the security checks before sharing a file that is associated with a data table.
Shared data tables must ensure that:
- The FOR cannot be impersonated. This is prevented by checking at LOGON time that the FOR is allowed to log on with the specified generic applid of the CICS® region.
- An AOR cannot gain access to data that it is not supposed to see. This is prevented by checking at CONNECT time that the AOR is allowed access to the FOR and, if file security is in force, that the AOR is allowed access to the requested file.
These security checks are performed by using the system authorization facility (SAF) to call the Resource Access Control Facility (RACF®) or an equivalent security manager.
Note: A region is still able to use data tables locally even if it
does not have authority to act as a shared data table server.
Shared data table support reproduces the main characteristics of function-shipping security that
operate at the region level, but the following differences should be noted:
- Shared data table support does not provide any mechanism for the FOR to perform security checks at the transaction level (the equivalent of ATTACHSEC(IDENTIFY) or ATTACHSEC(VERIFY)). Therefore, if you consider that the transaction-level checks performed by the AOR are inadequate for some files, you must ensure that those files are not associated with data tables in the FOR.
- Shared data table support does not support preset security.
- Shared data table support does not pass any installation parameter list (INSTLN) information to the security user exits.
For a description of the steps required to implement shared data table security, see RACF classes for protecting system resources.