Security-related system initialization parameters

Several system initialization parameters are available for specifying system security requirements.

SEC
The SEC system initialization parameter specifies the level of resource security management you want for your CICS® region. There are two options:
YES
Initializes the CICS external security interface; control of CICS security is determined by the other security-related system initialization parameters:
NO
No security checking is performed, and no user sign-on is available, for users who want to access CICS resources and other resources in this region.
Note: Even if you have specified SEC=NO, with MRO bind-time security, the CICS region user ID is sent to the secondary system, and bind-time checking is carried out in the secondary system. See Bind-time security with MRO for more information.
SECPRFX
This parameter is effective only if you also specify SEC=YES. Use the SECPRFX system initialization parameter to specify whether you want CICS to prefix the resource names that it passes to RACF® for authorization. The prefix that CICS uses is the RACF user ID under which the CICS region is running.

Prefixing is useful mainly when you have more than one CICS region. It enables you to prevent users on one CICS region from accessing the resources of a different CICS region that has a different prefix. For example, you might have one CICS region with the prefix CICSPROD and another with prefix CICSTEST. Users of the CICSTEST system would be able to use profiles that included the CICSTEST prefix, and users of the CICSPROD system would be able to use profiles that included the CICSPROD prefix. Users of both systems would be able to use resources protected by profiles that included CICS*.

The SECPRFX parameter has the following options:
NO
CICS does not prefix the resource names in authorization requests that it passes to RACF from this CICS region.
YES
CICS prefixes the resource names with the CICS region user ID when passing authorization requests to RACF.

To change these values, use an ICHRTX00 SAF pre-processing exit. For more information, see When and how CICS determines the userid of the CICS region.

prefix
CICS prefixes the resource names with the specified prefix when passing authorization requests to RACF.
For example, if a CICS job specifies USER=CICSREG on the JOB statement, and SECPRFX=YES is specified, you can define and allow access to the CICS main terminal transaction (CEMT) in the TCICSTRN resource class as follows: 
RDEFINE  TCICSTRN  CICSREG.CEMT
         UACC(NONE)   NOTIFY(sys_admin_userid)
PERMIT  CICSREG.CEMT  CLASS(TCICSTRN)
        ID(groupid1,...,groupidn) ACCESS(READ)
You can also use a resource group profile in the GCICSTRN resource class. If you do, specify the prefix on the ADDMEM operand. The following example shows CICSREG specified in a profile named CICSTRANS: 
RDEFINE  GCICSTRN  CICSTRANS
         ADDMEM(CICSREG.CEMT)
         UACC(NONE)   NOTIFY(sys_admin_userid)
PERMIT  CICSTRANS  CLASS(GCICSTRN)
        ID(groupid1,...,groupidn) ACCESS(READ)
Note: If you protect a resource with a resource group profile, avoid protecting the same resource with another profile. If the profiles are different (for example, if they have different access lists), RACF merges the profiles for use during authorization checking. Not only can the merging have a performance impact, but it can be difficult to determine exactly which access authority applies to a particular user. For more information see the z/OS Security Server RACF Security Administrator's Guide.
CMDSEC
Use CMDSEC to specify whether or not you want CICS to use the CMDSEC option specified on a transaction's resource definition. CMDSEC specified with the option ASIS means that CICS obeys the CMDSEC option. CMDSEC specified with the option ALWAYS means that CICS ignores the CMDSEC option, and always performs the command check. For more information about these options, see CMDSEC system initialization parameter.
DFLTUSER
Specify a value for DFLTUSER to identify to CICS the name you have defined to RACF as the default user ID. If you omit this parameter, the name defaults to CICSUSER. See Defining the default CICS user ID to RACF.
ESMEXITS
Use ESMEXITS to specify whether you want CICS to pass installation data for use by the RACF installation exits.
PLTPISEC
Use PLTPISEC to specify whether or not you want CICS to perform command security or resource security checking for PLT programs that run during CICS initialization.
PLTPIUSR
Use PLTPIUSR to specify the userid that CICS is to use for security checking for PLT programs that run during CICS initialization.
PSBCHK
Code PSBCHK to specify that you want CICS to perform PSB authorization checks for remote terminal users who use transaction routing to initiate a transaction in this CICS region (to access an attached IMS system). The default PSBCHK=NO specifies that CICS is to check the remote link but not the remote user. The remote user is checked by specifying PSBCHK=YES.
RESSEC
Use RESSEC to specify whether or not you want CICS to honor the RESSEC option specified on a transaction's resource definition. RESSEC specified with the option ASIS means that CICS obeys the RESSEC option. RESSEC specified with the option ALWAYS means that CICS ignores the RESSEC option, and always performs the resource check.
SNSCOPE
SNSCOPE, the sign-on SCOPE, applies to all user IDs that are signing on by explicit sign-on request; for example, the EXEC CICS SIGNON command or the CESN transaction. Use SNSCOPE to specify whether or not a user ID can have more than one CICS session active at the same time.

The sign-on SCOPE is enforced with the MVS™ ENQ macro. The SNSCOPE values correspond to the STEP, SYSTEM, and SYSTEMS levels of ENQ scoping. This means that only those CICS systems that specify exactly the same value for SNSCOPE can check the scope of each other.

SNSCOPE affects only users signing on at local terminals, or signing on after using the CRTE transaction to connect to another system.