Parameters for specifying command security
In addition to the SEC and SECPRFX system initialization parameters, CICS® provides the XCMD system initialization parameter and the CMDSEC attribute on the TRANSACTION resource definition option to enable you to specify that you want command security.
- XCMD system initialization parameter
Use the XCMD system initialization parameter to specify whether you want command security active in the CICS region, and, optionally, to specify the RACF® resource class name in which you have defined the command security profiles.
If you are using the IBM®-supplied RACF resource class names for CICS command profiles (CCICSCMD and VCICSCMD), specify XCMD=YES. CICS then requests RACF to build the in-storage profiles from these default resource classes.
If you are using installation-defined resource class names for CICS command profiles, specify XCMD=user_class, and CICS requests RACF to build the in-storage profiles from your own installation-defined resource classes.
If you do not want command security in a CICS region, specify XCMD=NO.
- The CMDSEC system initialization parameter
You can force the effect of CMDSEC=YES for all CICS transactions by specifying the CMDSEC=ALWAYS system initialization parameter. The CMDSEC option is recommended for installations that need total control of the system programming commands.
- The CMDSEC transaction definition attribute
- You specify which transactions you want command security to apply to by using the CMDSEC attribute on the TRANSACTION resource definition, as follows:
- You do not want command security checking the transaction.
- You want command security checking on the system programming commands
in Table 1.
For each of these commands issued in a user application or by the CICS-supplied transactions CEMT and CECI, CICS calls RACF to check that the terminal operator who initiated the transaction has authority to use the command for the specified resource.
To view all of the attributes of this resource, see TRANSACTION definition attributes