Resource security
Resource security provides an additional layer of security in addition to transaction security. It controls access to the resources, such as files, queues, or programs, that are used by the transaction.
Unlike transaction security that cannot be turned off for individual transactions, resource security can be applied at the individual transaction level. You can control access to the resources that are associated with a particular transaction. A user who is authorized to invoke a particular transaction might not be authorized to access some resources used by the transaction, or might have limited access: for example, authority to read but not to update.
System initialization parameters (RESSEC and the set of parameters that start with X, known as the Xnnn parameters) and attributes on a TRANSACTION resource definition control when CICS® issues an authorization request for access to a resource. The Xnnn parameters tell CICS that you want resource security checking on a class of resource: for example, the XFCT system initialization parameter specifies resource security checking for files. For a list of the Xnnn parameters, see Security-related SIT parameters.
CICS checks the authority to access the resource every time that a transaction tries to access it. RESSEC gives you additional flexibility to control resource security at the transaction level. The RESSEC attribute on a TRANSACTION resource specifies that you want resource security to apply to that transaction. The RESSEC system initialization parameter determines whether CICS honors the setting on the TRANSACTION resource definition or overrides it and always performs resource security checking.
The user ID that is used for authorization is the user ID that is associated with the request. For details of user IDs, see How it works: Identification in CICS.
- The user initiates Transaction AP01. Because AP01 is defined to run a program APADD, APADD then issues a request to access a CICS resource.
- CICS checks whether resource security is active for this class of resource (Xnnn parameters).
- CICS checks whether resource security in the transaction resource definition is active, for example:
DFHCSD TRANSACTION(AP01) RESSEC(YES) - CICS checks the SIT parameter RESSEC. If it is set to ALWAYS, the resource security check is always performed regardless of the RESSEC value in the transaction resource definition.
- CICS calls RACF® to determine whether the user has enough access rights for the resource.
- RACF checks the currently active resource profile and returns a yes or no decision to CICS. RACF also logs the activity. If RACF is unable to locate a matching profile, CICS then handles the situation as a negative decision.
- CICS then allows or denies the user access.
CICS and RACF process the authorization request using profiles for each resource in RACF resource classes. You define these profiles either in the default RACF resource classes for CICS or in your own classes. See RACF classes and profiles for resources for more information about the RACF resource classes.
The currently active resource profile is used for authorization checking. To understand this, see Refreshing profiles for SETROPTS RACLIST processing.
- Set the Xnnn system initialization parameter for each class of resource that you want CICS to check.
- Control resource security for individual transactions by setting the RESSEC attribute on the TRANSACTION resource definition.
- Set the RESSEC system initialization parameter to tell CICS whether to honor or override the RESSEC attribute on a TRANSACTION resource definition.
- Set up RACF profiles to specify if a user is authorized to access a resource.