Category 2 transactions

Category 2 transactions listed here are initiated by CICS users, or are associated with CICS users. For example, a category 2 transaction can be started by an EXEC CICS START command that is initiated by a user running another transaction. Restrict authorizations to initiate these transactions to user IDs that belong to specific RACF® groups.

For the CICS® resource definitions, the supplied transactions are defined with the recommended RESSEC and CMDSEC options. Specifically, CECI, CEDF, CEMT, and CEST are supplied with RESSEC(YES) and CMDSEC(YES). The mirror transactions are defined with RESSEC(YES). To change any of these definitions, copy them to another group. It is not advisable to change the supplied definitions of any other transactions.

For most category 2 transactions, specify them to RACF as follows:

UACC(NONE) and AUDIT(FAILURES) in the transaction profile. AUDIT(FAILURES) is the default and does not have to be specified.
Access list as appropriate.

It is unlikely that users require access to all the transactions in this category, so consider defining the transactions in several subcategories. You can choose to group CICS transactions in the way that best suits the needs of your installation. The following example shows one way that you might group the category 2 transactions.

The sample CLIST DFH$CAT2 (in library CICSTS54.CICS.SDFHSAMP) can help you to define the category 2 profiles to RACF. If you want to use this example, review and edit the CLIST for your installation before running it. To use a different setup, adapt the CLIST, or provide your own. The sample groups the transactions into the following categories:

SYSADM

This category contains CCRL, CDBC, CEDA, CEMN, CEMT, CESD, CETR, and CIND.

JVMUSER

This category contains CJSA and CJSU.

Note: Depending on your security configuration, transactions CJSA and CJSU might require the CICS default user to have access. For more information, see Security for Java applications, Configuring z/OS Connect for a CICS JSON web service, and Configuring permissions for z/OS Connect Services and APIs.

As a security best practise, you should turn on Liberty security and avoid using the CICS default user to run application tasks. For the z/OS Connect Service, you can install a URIMAP resource that CICS uses to associate the work for the Service with a specific transaction ID in CICS and with an initial user ID.

CJSA is the default transaction ID for any web request that does not have a matching URI. Consider restricting access to CJSA to prevent any arbitrary application being run.

DEVELOPER

This category contains CADP, CEBR, CECI, CECS, CEDB, CEDF, and CEDX.

INQUIRE

This category contains CDBI, CEDC, CKBM, CKDL, CKDP, CKQC, CKRT, and CLDM.

OPERATOR

This category contains CBAM, CEOT, CEST, CIDP, CKAM, CKBM, CKBP, CKBC, CKBR, CKCN, CKDL, CKDP, CKQC, CKRS, CKRT, CKSD, CMSG, CKSQ, CRTE, CKTI, CSFE, CWTO, and DSNC.

DBCTL

This category contains CDBC, CDBI, CDBM, and CDBT.

INTERCOM

This category contains CDFS, CEHP, CEHS, CPMI, CSHR, CSMI, CSM1, CSM2, CSM3, CSM5, CTIN, and CVMI.

If you are using function shipping, the mirror transactions must be available to remote users in a function shipping environment. When a database or file is on another CICS region, CICS function ships the request to access the data. The request runs under one of the CICS-supplied mirror transactions. In this situation, the following conditions apply:

The terminal user running the application must be authorized to use the mirror transaction. See Transaction security.
The terminal user must also be authorized to use the data that the mirror transaction accesses. See Resource security. The mirror transactions are supplied with RESSEC(YES) defined; so, even if the user's transaction specifies RESSEC(NO), the mirror transaction fails if the user is not authorized to access the data.
If you do not use resource security checking, change the mirror transaction definitions to specify RESSEC(NO). Because the mirror transactions are an IBM-protected resource, first copy these definitions into your own groups and then change them.

For a deferred START request, if the user transaction to be started is eligible for dynamic routing, system transaction CDFS will run and start the user transaction at the specified time. Ensure that security for CDFS is correctly configured.

WEBUSER

This category contains CWBA and CW2A.

The CICS default user requires access to the CWBA transaction initially, even if an analyzer program is then used to assign another user ID to the task. Ensure that the CICS default user that is specified in the DFLTUSER system initialization parameter has access to this transaction. If you use the supplied CLIST DFH$CAT2 to create a WEBUSER RACF profile, the default user must have access to this profile.

RPCUSER

This category contains CRPA, CRPC, and CRPM.

CMCIUSER

This category contains CWWU.

PIPEUSER

This category contains CPIH, CPIL, CPIQ, and CPIA.

EVENTUSER

This category contains CEPH, CEPQ, CEPR, CEPS, and CEPT.

CEPH, CEPQ, CEPR, CEPS, and CEPT are the default EP adapter transaction IDs used when security checking is required. They are defined with RESSEC(YES) and CMDSEC(YES) options. When these options are not the ones you want, you must specify your own transaction IDs in the adapter tab Advanced Options section of the Event binding editor. For more information, see Specifying EP adapter and dispatcher information.

ALLUSER

This category contains CMAC, CRTX, and CSGM.

Define the CICS messages and codes transaction CMAC, and the good morning transaction CSGM (or the transaction that is defined in the GMTRAN system initialization parameter) as UACC(READ) in their own group, because all users need access to them. If your installation uses CSGM, users who are not authorized to use CSGM receive message DFHAC2002 when they attempt to use CICS. Also include your good night transaction in this group, if you defined one with the GNTRAN system initialization parameter.

The following code example shows how to use RDEFINE and PERMIT commands to define the example groups for category 2 transactions.

RDEFINE GCICSTRN INQUIRE UACC(NONE)
         ADDMEM(CDBI,CEDC,CKBM,CKDL,CKDP,CKQC,CKRT,CLDM)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
RDEFINE GCICSTRN SYSADM UACC(NONE)
         ADDMEM(CCRL,CDBC,CEDA,CEMN,CEMT,CESD,CETR,CIND)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT   SYSADM  CLASS(GCICSTRN) ID(sysgrp1,..,sysgrpz) ACCESS(READ)

RDEFINE GCICSTRN DEVELOPER UACC(NONE)
         ADDMEM(CADP,CEBR,CECI,CECS,CEDB,CEDF,CEDG,CEDX,CEDY)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT   DEVELOPER  CLASS(GCICSTRN) ID(devgrp1,..,devgrpz)
RDEFINE GCICSTRN INQUIRE UACC(NONE)
         ADDMEM(CDBI,CEDC,CKBM,CKDL,CKDP,CKQC,CKRT)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT   INQUIRE  CLASS(GCICSTRN) ID(inqgrp1,..,inqgrpz)

RDEFINE GCICSTRN OPERATOR UACC(NONE)
         ADDMEM(CBAM,CEOT,CEST,CIDP,CKAM,CKBM,CKBP,CKBC,CKBR,CKCN,CKDL,+
                CKDP,CKQC,CKRS,CKRT,CKSD,CMSG,CKSQ,CRTE,CKTI,CSFE,CWTO,DSNC)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT   OPERATOR  CLASS(GCICSTRN) ID(opsgrp1,..,opsgrpz) ACCESS(READ)
RDEFINE GCICSTRN DBCTL UACC(NONE)
         ADDMEM(CDBC,CDBI,CDBM,CDBT)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT   DBCTL  CLASS(GCICSTRN) ID(dbctgrp1,..,dbctgrpz) ACCESS(READ)

RDEFINE GCICSTRN INTERCOM UACC(NONE)
         ADDMEM(CEHP,CEHS,CPMI,CSHR,CSMI,CSM1,CSM2,CSM3,CSM5,CVMI,CDFS,CTIN)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT   INTERCOM  CLASS(GCICSTRN) ID(intrgrp1,..,intrgrpz) ACCESS(READ)
RDEFINE GCICSTRN ALLUSER UACC(READ)
         ADDMEM(CMAC,CRTX,CSGM)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT ALLUSER CLASS (GCICSTRN) ID(allrgrp1,..,allrgrpz) ACCESS(READ)
RDEFINE GCICSTRN WEBUSER UACC(NON)
         ADDMEM(CWBA,CW2A)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT WEBUSER CLASS (GCICSTRN) ID(webrgrp1,..,webgrpz) ACCESS(READ)

RDEFINE GCICSTRN RESTUSER UACC(NON)
         ADDMEM(CWWU)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT WEBUSER CLASS (GCICSTRN) ID(rstrgrp1,..,rstgrpz) ACCESS(READ)
RDEFINE GCICSTRN RPCUSER UACC(NON)
         ADDMEM(CRPA,CRPC,CRPM)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT RPCUSER CLASS (GCICSTRN) ID(rpcrgrp1,..,rpcrgrpz) ACCESS(READ)
RDEFINE GCICSTRN PIPEUSER UACC(NONE)
         ADDMEM(CPIH,CPIL,CPIQ,CPIA)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT PIPEUSER CLASS(GCICSTRN) ID(pipeline_access_list)

RDEFINE GCICSTRN CMCIUSER UACC(NONE)
         ADDMEM(CWWU)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT CMCIUSER CLASS(GCICSTRN) ID(cmciuser_access_list)
RDEFINE GCICSTRN EVENTUSER UACC(NONE)
         ADDMEM(CEPH,CEPQ,CEPR,CEPS,CEPT)
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT EVENTUSER CLASS(GCICSTRN) ID(eventuser_access_list)
RDEFINE GCICSTRN JVMUSER UACC(NONE) 
         ADDMEM(CJSA) 
         NOTIFY(security_admin_userid)
         OWNER(userid or groupid)
PERMIT JVMUSER CLASS (GCICSTRN) ID(librgrp1,..,libgrpz) ACCESS(READ)

Note:

With RESSEC(YES) and CMDSEC(YES) defined for these transactions, ensure that the user groups authorized to use the transactions are also authorized to access the CICS resources and commands that the transactions use.
If you protect a resource with a resource group profile, you must be careful when protecting the same resource with another profile if a user can have different access to both profiles. If the profiles are different (for example, if they have different access lists), RACF merges the profiles that are used during authorization checking. The merging might incur higher cost in checking, and it can be difficult to determine exactly which access authority applies to a particular user. See z/OS Security Server RACF Security Administrator's Guide for further information.

Table 1. Category 2 transactions.
The transactions that have operator interfaces are marked by an asterisk (*). The remainder therefore have no operator interface.
Transaction	Program	CSD group	Security category	Description
CADP*	DFHDPLU	DFHDP	2	Application debugging profile manager
CBAM*	DFHECBAM	DFHOPER	2	BTS objects browser
CCRL*	DFHSOCRL	DFHOPER	2	CICS certificate revocation list transaction
CDBC*	DFHDBME	DFHDBCTL	2	DBCTL interface menu transaction
CDBI*	DFHDBIQ	DFHDBCTL	2	DBCTL interface inquiry transaction
CDBM*	DFHDBMP	DFHDBCTL	2	DBCTL operator transaction
CDBT	DFHDBDSC	DFHDBCTL	2	DBCTL interface disconnection transaction
CDFS	DFHDFST	DFHISC	2	Dynamic starts with interval
CEBR*	DFHEDFBR	DFHEDF	2	Browse temporary storage
CECI*	DFHECIP	DFHINTER	2	Command level interpreter
CECS*	DFHECSP	DFHINTER	2	Command level interpreter
CEDA*	DFHEDAP	DFHSPI	2	Resource definition online - full (RDO)
CEDB*	DFHEDAP	DFHSPI	2	Resource definition online - restricted (RDO)
CEDC*	DFHEDAP	DFHSPI	2	Views resource definition online (RDO)
CEDF*	DFHEDFP	DFHEDF	2	Execution diagnostic facility
CEDX*	DFHEDFP	DFHEDF	2	Execution diagnostic facility for non-terminal tasks
CEHP	DFHCHS	DFHISC	2	LU type 2 mirror transaction (obsolete)
CEHS	DFHCHS	DFHISC	2	LU type 2 mirror transaction (obsolete)
CEMN*	DFHCEMNA	DFHOPER	2	CICS monitoring facility transaction
CEMT*	DFHEMTP	DFHOPER	2	Main terminal
CEOT*	DFHEOTP	DFHOPER	2	Terminal status
CEPH	DFHECEAH	DFHEP	2	HTTP EP adapter for event processing
CEPQ	DFHECEAM	DFHEP	2	WebSphere® MQ EP adapter for event processing
CEPR	DFHECEAQ	DFHEP	2	TDQ EP adapter for event processing
CEPS	DFHECEAS	DFHEP	2	Start transaction adapter for event processing
CEPT	DFHECEAT	DFHEP	2	TSQ EP adapter for event processing
CESD	DFHCESD	DFHSDAP	2	Shutdown assist
CEST*	DFHESTP	DFHOPER	2	Supervisory terminal
CETR*	DFHCETRA	DFHOPER	2	Inquire and set trace options
CHLP	DFHCMAC	DFHCMAC	2	Alias for CMAC
CIDP*	DFHDPIN	DFHDP	2	Inactivate debugging profiles utility
CIND*	DFHINDT	DFHINDT	2	CICS indoubt testing tool
CJSA	DFHSJTHP	DFHJAVA	2	JVM server request processor transaction
CJSU	DFHSJTHP	DFHJAVA	2	JVM server unclassified request processor transaction
CKAM	DFHMQMON	DFHMQ	2	CICS-MQ Adapter alert monitor
CKBC	DFHMQBP3	DFHMQ	2	CICS-MQ Bridge Program Link transaction for channel and container DPL bridge
CKBM	DFHMQBAS	DFHMQ	2	CICS-MQ Adapter base panel transaction
CKBP	DFHMQBP0	DFHMQ	2	CICS-MQ Bridge DPL bridge task (COMMAREA)
CKBR	DFHMQBR0	DFHMQ	2	CICS-MQ Bridge Monitor task
CKCN	DFHMQQCN	DFHMQ	2	CICS-MQ Adapter start connection transaction
CKDL	DFHMQDSL	DFHMQ	2	CICS-MQ Adapter, display status transaction
CKDP	DFHMQDIS	DFHMQ	2	CICS-MQ Adapter, display transaction
CKQC*	DFHMQCTL	DFHMQ	2	CICS-MQ Adapter control transaction
CKRS	DFHMQRS	DFHMQ	2	CICS-MQ Adapter modify transaction
CKRT	DFHMQRET	DFHMQ	2	CICS-MQ Adapter screen return transaction
CKSD	DFHMQDSC	DFHMQ	2	CICS-MQ Adapter stop connection transaction
CKSQ	DFHMQSSQ	DFHMQ	2	CICS-MQ Adapter start/stop CKTI transaction
CKTI	DFHMQTSK	DFHMQ	2	CICS-MQ Adapter - task initiator transaction
CLDM*	DFHLDMAP	DFHOPER	2	CICS load module map
CMAC	DFHCMAC	DFHCMAC	2	Messages utility
CMSG*	DFHMSP	DFHMSWIT	2	Message switching
CPIA*	DFHPITE	DFHPIPE	2	Invokes CPIS from the terminal
CPIH	DFHPIDSH	DFHPIPE	2	CICS pipeline HTTP inbound router
CPIL	DFHPILSQ	DFHPIPE	2	SOAP WebSphere MQ inbound listener
CPIQ	DFHPIDSQ	DFHPIPE	2	SOAP WebSphere MQ inbound router
CPMI	DFHMIRS	DFHISC	2	CICS LU 6.2 synchronization level 1 mirror
CRPA	DFHRPAS	DFHRPC	2	ONC/RPC Alias transaction
CRPC	DFHRPC00	DFHRPC	2	ONC/RPC Update transaction
CRPM	DFHRPMS	DFHRPC	2	ONC/RPC Server controller
CRTE*	DFHRTE	DFHISC	2	Transaction routing
CRTX		DFHISC	2	Dynamic transaction routing transaction definition
CSFE*	DFHFEP	DFHFE	2	Terminal test, trace, storage
CSGM	DFHGMM	DFHVTAM	2	Good-morning signon
CSHR	DFHMIRS	DFHISC	2	Scheduler services remote routing
CSM1	DFHMIRS	DFHISC	2	SYSMSG model
CSM2	DFHMIRS	DFHISC	2	Scheduler model
CSM3	DFHMIRS	DFHISC	2	Queue model
CSM5	DFHMIRS	DFHISC	2	DL/I model
CSMI	DFHMIRS	DFHISC	2	Mirror transaction
CTIN	DFHZCT1	DFHCLNT	2	CICS Client
CVMI	DFHMIRS	DFHISC	2	CICS LU6.2 synchronization level 1 mirror
CWBA	DFHWBA	DFHWEB	2	CICS web support alias transaction
CWTO*	DFHCWTO	DFHCONS	2	Write to console operator
CWWU	DFHWBA	DFHWU	2	Web support alias transaction for the CICS management client interface
CW2A	DFHW2A	DFHWEB2	2	Atom feed alias transaction
DSNC	DFHD2CM1	DFHDB2	2	DB2® attachment facility transaction