CMDSEC

The CMDSEC system initialization parameter specifies whether CICS® honors the CMDSEC option that is specified on a transaction's resource definition.

For information about transaction resource definitions, see TRANSACTION resources. For information about command security, see Command security.

Defining CMDSEC

You can define the CMDSEC system initialization parameter in the following ways:
  • In the PARM parameter of the EXEC PGM=DFHSIP statement.
  • In the SYSIN data set of the CICS startup job stream.
  • By using a DFHSIT macro.
You cannot define the CMDSEC system initialization parameter through the system console.

Values for CMDSEC

CMDSEC={ASIS|ALWAYS}
Valid values for the CMDSEC system initialization parameter are as follows:
ASIS
ASIS is the default value for CMDSEC. CICS honors the CMDSEC option that is defined in a transaction's resource definition. CICS calls its command security check routine only when CMDSEC(YES) is specified in a transaction resource definition.
ALWAYS
CICS overrides the CMDSEC option, and always calls its command security check routine to issue the appropriate call to the System Authorization Facility (SAF) interface.
Specify ALWAYS when you want to control the use of the system programming interface (SPI) in all your transactions. This may cause an extra load as CICS issues the command security calls on all eligible EXEC CICS commands, which are all the SPI commands. For a detailed list of EXEC CICS SPI commands, see System commands.
If you specify ALWAYS, command check applies to CICS-supplied category 2 transactions. Authorize all users of these transactions to use any SPI commands that these transactions use; otherwise, you get abends due to security failures. CICS-supplied category 3 transactions do not use SPI commands; therefore, the default user ID does not need to be authorized for SPI commands.