Category 2 transactions
Category 2 transactions listed here are initiated by CICS users, or are associated with CICS users. For example, a category 2 transaction can be started by an EXEC CICS START command that is initiated by a user running another transaction. Restrict authorizations to initiate these transactions to user IDs that belong to specific RACF® groups.
For the CICS® resource definitions, the supplied transactions are defined with the recommended RESSEC and CMDSEC options. Specifically, CECI, CEDF, CEMT, and CEST are supplied with RESSEC(YES) and CMDSEC(YES). The mirror transactions are defined with RESSEC(YES). To change any of these definitions, copy them to another group. It is not advisable to change the supplied definitions of any other transactions.
- UACC(NONE) and AUDIT(FAILURES) in the transaction profile. AUDIT(FAILURES) is the default and does not have to be specified.
- Access list as appropriate.
It is unlikely that users require access to all the transactions in this category, so consider defining the transactions in several subcategories. You can choose to group CICS transactions in the way that best suits the needs of your installation. The following example shows one way that you might group the category 2 transactions.
- SYSADM
- This category contains CCRL, CDBC, CEDA, CEMN, CEMT, CESD, CETR, and CIND.
- JVMUSER
- This category contains CJSA and CJSU.Note: Depending on your security configuration, transactions CJSA and CJSU might require the CICS default user to have access. For more information, see Security for Java applications, Configuring z/OS Connect for a CICS JSON web service, and Configuring permissions for z/OS Connect Services and APIs.
As a security best practise, you should turn on Liberty security and avoid using the CICS default user to run application tasks. For the z/OS Connect Service, you can install a URIMAP resource that CICS uses to associate the work for the Service with a specific transaction ID in CICS and with an initial user ID.
CJSA is the default transaction ID for any web request that does not have a matching URI. Consider restricting access to CJSA to prevent any arbitrary application being run.
- DEVELOPER
- This category contains CADP, CEBR, CECI, CECS, CEDB, CEDF, and CEDX.
- INQUIRE
- This category contains CDBI, CEDC, CKBM, CKDL, CKDP, CKQC, CKRT, and CLDM.
- OPERATOR
- This category contains CBAM, CEOT, CEST, CIDP, CKAM, CKBM, CKBP, CKBC, CKBR, CKCN, CKDL, CKDP, CKQC, CKRS, CKRT, CKSD, CMSG, CKSQ, CRTE, CKTI, CSFE, CWTO, and DSNC.
- DBCTL
- This category contains CDBC, CDBI, CDBM, and CDBT.
- INTERCOM
- This category contains CDFS, CEHP, CEHS, CPMI, CSHR, CSMI, CSM1, CSM2, CSM3, CSM5, CTIN, and
CVMI.If you are using function shipping, the mirror transactions must be available to remote users in a function shipping environment. When a database or file is on another CICS region, CICS function ships the request to access the data. The request runs under one of the CICS-supplied mirror transactions. In this situation, the following conditions apply:
- The terminal user running the application must be authorized to use the mirror transaction. See Transaction security.
- The terminal user must also be authorized to use the data that the mirror transaction accesses.
See Resource security. The mirror transactions are supplied with RESSEC(YES)
defined; so, even if the user's transaction specifies RESSEC(NO), the mirror transaction fails if
the user is not authorized to access the data.
If you do not use resource security checking, change the mirror transaction definitions to specify RESSEC(NO). Because the mirror transactions are an IBM-protected resource, first copy these definitions into your own groups and then change them.
For a deferred START request, if the user transaction to be started is eligible for dynamic routing, system transaction CDFS will run and start the user transaction at the specified time. Ensure that security for CDFS is correctly configured.
- WEBUSER
- This category contains CWBA and CW2A.
The CICS default user requires access to the CWBA transaction initially, even if an analyzer program is then used to assign another user ID to the task. Ensure that the CICS default user that is specified in the DFLTUSER system initialization parameter has access to this transaction. If you use the supplied CLIST DFH$CAT2 to create a WEBUSER RACF profile, the default user must have access to this profile.
- RPCUSER
- This category contains CRPA, CRPC, and CRPM.
- CMCIUSER
- This category contains CWWU.
- PIPEUSER
- This category contains CPIH, CPIL, CPIQ, and CPIA.
- EVENTUSER
- This category contains CEPH, CEPQ, CEPR, CEPS, and CEPT.
CEPH, CEPQ, CEPR, CEPS, and CEPT are the default EP adapter transaction IDs used when security checking is required. They are defined with RESSEC(YES) and CMDSEC(YES) options. When these options are not the ones you want, you must specify your own transaction IDs in the adapter tab Advanced Options section of the Event binding editor. For more information, see Specifying EP adapter and dispatcher information.
- ALLUSER
- This category contains CMAC, CRTX, and CSGM.
Define the CICS messages and codes transaction CMAC, and the
good morning
transaction CSGM (or the transaction that is defined in the GMTRAN system initialization parameter) as UACC(READ) in their own group, because all users need access to them. If your installation uses CSGM, users who are not authorized to use CSGM receive message DFHAC2002 when they attempt to use CICS. Also include yourgood night
transaction in this group, if you defined one with the GNTRAN system initialization parameter.
The following code example shows how to use RDEFINE and PERMIT commands to define the example groups for category 2 transactions.
RDEFINE GCICSTRN INQUIRE UACC(NONE)
ADDMEM(CDBI,CEDC,CKBM,CKDL,CKDP,CKQC,CKRT,CLDM)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
RDEFINE GCICSTRN SYSADM UACC(NONE)
ADDMEM(CCRL,CDBC,CEDA,CEMN,CEMT,CESD,CETR,CIND)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT SYSADM CLASS(GCICSTRN) ID(sysgrp1,..,sysgrpz) ACCESS(READ)
RDEFINE GCICSTRN DEVELOPER UACC(NONE)
ADDMEM(CADP,CEBR,CECI,CECS,CEDB,CEDF,CEDG,CEDX,CEDY)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT DEVELOPER CLASS(GCICSTRN) ID(devgrp1,..,devgrpz)
RDEFINE GCICSTRN INQUIRE UACC(NONE)
ADDMEM(CDBI,CEDC,CKBM,CKDL,CKDP,CKQC,CKRT)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT INQUIRE CLASS(GCICSTRN) ID(inqgrp1,..,inqgrpz)
RDEFINE GCICSTRN OPERATOR UACC(NONE)
ADDMEM(CBAM,CEOT,CEST,CIDP,CKAM,CKBM,CKBP,CKBC,CKBR,CKCN,CKDL,+
CKDP,CKQC,CKRS,CKRT,CKSD,CMSG,CKSQ,CRTE,CKTI,CSFE,CWTO,DSNC)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT OPERATOR CLASS(GCICSTRN) ID(opsgrp1,..,opsgrpz) ACCESS(READ)
RDEFINE GCICSTRN DBCTL UACC(NONE)
ADDMEM(CDBC,CDBI,CDBM,CDBT)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT DBCTL CLASS(GCICSTRN) ID(dbctgrp1,..,dbctgrpz) ACCESS(READ)
RDEFINE GCICSTRN INTERCOM UACC(NONE)
ADDMEM(CEHP,CEHS,CPMI,CSHR,CSMI,CSM1,CSM2,CSM3,CSM5,CVMI,CDFS,CTIN)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT INTERCOM CLASS(GCICSTRN) ID(intrgrp1,..,intrgrpz) ACCESS(READ)
RDEFINE GCICSTRN ALLUSER UACC(READ)
ADDMEM(CMAC,CRTX,CSGM)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT ALLUSER CLASS (GCICSTRN) ID(allrgrp1,..,allrgrpz) ACCESS(READ)
RDEFINE GCICSTRN WEBUSER UACC(NON)
ADDMEM(CWBA,CW2A)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT WEBUSER CLASS (GCICSTRN) ID(webrgrp1,..,webgrpz) ACCESS(READ)
RDEFINE GCICSTRN RESTUSER UACC(NON)
ADDMEM(CWWU)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT WEBUSER CLASS (GCICSTRN) ID(rstrgrp1,..,rstgrpz) ACCESS(READ)
RDEFINE GCICSTRN RPCUSER UACC(NON)
ADDMEM(CRPA,CRPC,CRPM)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT RPCUSER CLASS (GCICSTRN) ID(rpcrgrp1,..,rpcrgrpz) ACCESS(READ)
RDEFINE GCICSTRN PIPEUSER UACC(NONE)
ADDMEM(CPIH,CPIL,CPIQ,CPIA)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT PIPEUSER CLASS(GCICSTRN) ID(pipeline_access_list)
RDEFINE GCICSTRN CMCIUSER UACC(NONE)
ADDMEM(CWWU)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT CMCIUSER CLASS(GCICSTRN) ID(cmciuser_access_list)
RDEFINE GCICSTRN EVENTUSER UACC(NONE)
ADDMEM(CEPH,CEPQ,CEPR,CEPS,CEPT)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT EVENTUSER CLASS(GCICSTRN) ID(eventuser_access_list)
RDEFINE GCICSTRN JVMUSER UACC(NONE)
ADDMEM(CJSA)
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT JVMUSER CLASS (GCICSTRN) ID(librgrp1,..,libgrpz) ACCESS(READ)
- With RESSEC(YES) and CMDSEC(YES) defined for these transactions, ensure that the user groups authorized to use the transactions are also authorized to access the CICS resources and commands that the transactions use.
- If you protect a resource with a resource group profile, you must be careful when protecting the same resource with another profile if a user can have different access to both profiles. If the profiles are different (for example, if they have different access lists), RACF merges the profiles that are used during authorization checking. The merging might incur higher cost in checking, and it can be difficult to determine exactly which access authority applies to a particular user. See z/OS Security Server RACF Security Administrator's Guide for further information.
Transaction | Program | CSD group | Security category | Description |
---|---|---|---|---|
CADP* | DFHDPLU | DFHDP | 2 | Application debugging profile manager |
CBAM* | DFHECBAM | DFHOPER | 2 | BTS objects browser |
CCRL* | DFHSOCRL | DFHOPER | 2 | CICS certificate revocation list transaction |
CDBC* | DFHDBME | DFHDBCTL | 2 | DBCTL interface menu transaction |
CDBI* | DFHDBIQ | DFHDBCTL | 2 | DBCTL interface inquiry transaction |
CDBM* | DFHDBMP | DFHDBCTL | 2 | DBCTL operator transaction |
CDBT | DFHDBDSC | DFHDBCTL | 2 | DBCTL interface disconnection transaction |
CDFS | DFHDFST | DFHISC | 2 | Dynamic starts with interval |
CEBR* | DFHEDFBR | DFHEDF | 2 | Browse temporary storage |
CECI* | DFHECIP | DFHINTER | 2 | Command level interpreter |
CECS* | DFHECSP | DFHINTER | 2 | Command level interpreter |
CEDA* | DFHEDAP | DFHSPI | 2 | Resource definition online - full (RDO) |
CEDB* | DFHEDAP | DFHSPI | 2 | Resource definition online - restricted (RDO) |
CEDC* | DFHEDAP | DFHSPI | 2 | Views resource definition online (RDO) |
CEDF* | DFHEDFP | DFHEDF | 2 | Execution diagnostic facility |
CEDX* | DFHEDFP | DFHEDF | 2 | Execution diagnostic facility for non-terminal tasks |
CEHP | DFHCHS | DFHISC | 2 | LU type 2 mirror transaction (obsolete) |
CEHS | DFHCHS | DFHISC | 2 | LU type 2 mirror transaction (obsolete) |
CEMN* | DFHCEMNA | DFHOPER | 2 | CICS monitoring facility transaction |
CEMT* | DFHEMTP | DFHOPER | 2 | Main terminal |
CEOT* | DFHEOTP | DFHOPER | 2 | Terminal status |
CEPH | DFHECEAH | DFHEP | 2 | HTTP EP adapter for event processing |
CEPQ | DFHECEAM | DFHEP | 2 | WebSphere® MQ EP adapter for event processing |
CEPR | DFHECEAQ | DFHEP | 2 | TDQ EP adapter for event processing |
CEPS | DFHECEAS | DFHEP | 2 | Start transaction adapter for event processing |
CEPT | DFHECEAT | DFHEP | 2 | TSQ EP adapter for event processing |
CESD | DFHCESD | DFHSDAP | 2 | Shutdown assist |
CEST* | DFHESTP | DFHOPER | 2 | Supervisory terminal |
CETR* | DFHCETRA | DFHOPER | 2 | Inquire and set trace options |
CHLP | DFHCMAC | DFHCMAC | 2 | Alias for CMAC |
CIDP* | DFHDPIN | DFHDP | 2 | Inactivate debugging profiles utility |
CIND* | DFHINDT | DFHINDT | 2 | CICS indoubt testing tool |
CJSA | DFHSJTHP | DFHJAVA | 2 | JVM server request processor transaction |
CJSU | DFHSJTHP | DFHJAVA | 2 | JVM server unclassified request processor transaction |
CKAM | DFHMQMON | DFHMQ | 2 | CICS-MQ Adapter alert monitor |
CKBC | DFHMQBP3 | DFHMQ | 2 | CICS-MQ Bridge Program Link transaction for channel and container DPL bridge |
CKBM | DFHMQBAS | DFHMQ | 2 | CICS-MQ Adapter base panel transaction |
CKBP | DFHMQBP0 | DFHMQ | 2 | CICS-MQ Bridge DPL bridge task (COMMAREA) |
CKBR | DFHMQBR0 | DFHMQ | 2 | CICS-MQ Bridge Monitor task |
CKCN | DFHMQQCN | DFHMQ | 2 | CICS-MQ Adapter start connection transaction |
CKDL | DFHMQDSL | DFHMQ | 2 | CICS-MQ Adapter, display status transaction |
CKDP | DFHMQDIS | DFHMQ | 2 | CICS-MQ Adapter, display transaction |
CKQC* | DFHMQCTL | DFHMQ | 2 | CICS-MQ Adapter control transaction |
CKRS | DFHMQRS | DFHMQ | 2 | CICS-MQ Adapter modify transaction |
CKRT | DFHMQRET | DFHMQ | 2 | CICS-MQ Adapter screen return transaction |
CKSD | DFHMQDSC | DFHMQ | 2 | CICS-MQ Adapter stop connection transaction |
CKSQ | DFHMQSSQ | DFHMQ | 2 | CICS-MQ Adapter start/stop CKTI transaction |
CKTI | DFHMQTSK | DFHMQ | 2 | CICS-MQ Adapter - task initiator transaction |
CLDM* | DFHLDMAP | DFHOPER | 2 | CICS load module map |
CMAC | DFHCMAC | DFHCMAC | 2 | Messages utility |
CMSG* | DFHMSP | DFHMSWIT | 2 | Message switching |
CPIA* | DFHPITE | DFHPIPE | 2 | Invokes CPIS from the terminal |
CPIH | DFHPIDSH | DFHPIPE | 2 | CICS pipeline HTTP inbound router |
CPIL | DFHPILSQ | DFHPIPE | 2 | SOAP WebSphere MQ inbound listener |
CPIQ | DFHPIDSQ | DFHPIPE | 2 | SOAP WebSphere MQ inbound router |
CPMI | DFHMIRS | DFHISC | 2 | CICS LU 6.2 synchronization level 1 mirror |
CRPA | DFHRPAS | DFHRPC | 2 | ONC/RPC Alias transaction |
CRPC | DFHRPC00 | DFHRPC | 2 | ONC/RPC Update transaction |
CRPM | DFHRPMS | DFHRPC | 2 | ONC/RPC Server controller |
CRTE* | DFHRTE | DFHISC | 2 | Transaction routing |
CRTX | DFHISC | 2 | Dynamic transaction routing transaction definition | |
CSFE* | DFHFEP | DFHFE | 2 | Terminal test, trace, storage |
CSGM | DFHGMM | DFHVTAM | 2 | Good-morningsignon |
CSHR | DFHMIRS | DFHISC | 2 | Scheduler services remote routing |
CSM1 | DFHMIRS | DFHISC | 2 | SYSMSG model |
CSM2 | DFHMIRS | DFHISC | 2 | Scheduler model |
CSM3 | DFHMIRS | DFHISC | 2 | Queue model |
CSM5 | DFHMIRS | DFHISC | 2 | DL/I model |
CSMI | DFHMIRS | DFHISC | 2 | Mirror transaction |
CTIN | DFHZCT1 | DFHCLNT | 2 | CICS Client |
CVMI | DFHMIRS | DFHISC | 2 | CICS LU6.2 synchronization level 1 mirror |
CWBA | DFHWBA | DFHWEB | 2 | CICS web support alias transaction |
CWTO* | DFHCWTO | DFHCONS | 2 | Write to console operator |
CWWU | DFHWBA | DFHWU | 2 | Web support alias transaction for the CICS management client interface |
CW2A | DFHW2A | DFHWEB2 | 2 | Atom feed alias transaction |
DSNC | DFHD2CM1 | DFHDB2 | 2 | DB2® attachment facility transaction |