XRES

The XRES system initialization parameter specifies whether you want CICS® to perform resource security checking for particular CICS resources and optionally specifies the resource class name in which you have defined the resource security profiles.

Defining XRES

You can define the XRES system initialization parameter in the following ways:
  • In the PARM parameter of the EXEC PGM=DFHSIP statement.
  • In the SYSIN data set of the CICS startup job stream.
  • By using a DFHSIT macro.
You cannot define the XRES system initialization parameter through the system console.

Values for XRES

Valid values for the XRES system initialization parameter are as follows:

XRES={YES|name|NO}
YES is the default value for XRES.

You can specify the XRES parameter in the SIT, PARM, or SYSIN only. If you specify YES, or a general resource class name, CICS calls RACF® to verify that the user ID associated with a transaction is authorized to use the resource. This checking is performed every time a transaction tries to access a resource.

The actual profile name passed to RACF is the name of the resource to be checked, prefixed by its resource type; for example, for a document template whose resource definition is named “WELCOME", the profile name passed to RACF is DOCTEMPLATE.WELCOME. Even if a command references the document template using its 48-character template name, the shorter name (up to 8 characters) of the DOCTEMPLATE resource definition is always used for security checking.

The checking is performed only if the SEC=YES system initialization parameter is in use and the RESSEC(YES) option is specified in the TRANSACTION resource definition. For information on how resource security can provide a further level of security to transaction security, see Resource security.

YES
CICS calls RACF, using the default CICS resource class name of RCICSRES, to check whether the user ID associated with a transaction is authorized to use the resource it is trying to access. The general resource class name is RCICSRES and the resource group class name is WCICSRES.
name
CICS calls RACF, using the specified resource class name prefixed by the letter R, to check whether the user ID associated with a transaction is authorized to use the resource it is trying to access. The general resource class name is Rname and the resource group class name is Wname. The resource class name specified must be 1 through 7 characters.
NO
CICS does not perform any security checks for resources, allowing access to any user.

For a list of commands subject to XRES resource class checks, together with their respective profiles, see Resource and command check cross reference.