Changes to RACF classes

This section summarizes the changes that relate to RACF® classes across supported CICS® releases. Use this information to plan the impact of upgrading from one release to another.

If you are upgrading from an end-of-service release, you can find information about the changes that are relevant to those releases in Summary of changes from end-of-service releases.

For other security-related changes, see Changes to security. For changes to transactions, see Changes to CICS transactions.

Table 1. Changes to RACF classes related to command security, by release of CICS TS. These changes are new resource identifiers for SPI commands. See CICS resources subject to command security checking and Resource and command check cross-reference for a list of all of the SPI commands and the RACF ACCESS required for each one.
Command 5.4 5.5 5.6 6.1
CREATE DUMPCODE     NEW: resource identifier DUMPCODE  
INQUIRE JVMENDPOINT SET JVMENDPOINT     NEW: resource identifier JVMENDPOINT  
CREATE MQMONITOR DISCARD MQMONITOR INQUIRE MONITOR SET MONITOR NEW: resource identifier MQMON      
INQUIRE NODEJSAPP   NEW: resource identifier NODEJSAPP    
PERFORM JVMSERVER     NEW: resource identifier JVMSERVER

ACCESS(UPDATE) is required for the command.

ACCESS(UPDATE) is required for the named JVMSERVER resource identifier.

  
SET PROGRAM NEW: resource identifier REPLICATION.

ACCESS(ALTER) is required for REPLICATION option.

      
INQUIRE SYSDUMPCODE SET SYSDUMPCODE NEW: resource identifier SYSDUMPCODE.

ACCESS(CONTROL) is required for SET with JOBLIST option.

      
INQUIRE WLMHEALTH SET WLMHEALTH NEW: resource identifier WLMHEALTH. Requires APAR PI84397.      
Table 2. Changes to RACF classes related to CICS user IDs, by release of CICS TS
User ID 5.4 5.5 5.6 6.1
Default user ID     Default user no longer needs command authority for any CAT 3 CICS transactions. See Default user ID security definitions.  
Region user ID Security for submitting a JCL job to the internal reader.      
KERBEROSUSER NEW with APAR: PI85443 NEW SIT parameter KERBEROSUSER to specify the user ID associated with the Kerberos service principal for the CICS region.    
Table 3. Changes to other RACF classes by release of CICS TS
Class Profile 5.4 5.5 5.6 6.1
FACILITY DFHSIT.HPO   NEW: Control of HPO SIT override    
IDTDATA JWT.applid.userid.SAF     NEW: support for JWT with RACF
PTKTDATA IRRPTAUTH.applid.userid NEW XPTKT system initialization parameter      
SURROGAT userid.DFHEXCI NEW with APAR: PH09898 NEW with APAR: PH09898 NEW: surrogate user checking for EXCI
SURROGAT userid.DFHQUERY   NEW: Application-specific security (QUERY SECURITY)    
SURROGAT userid.SUBMIT   NEW: security for submitting a JCL job to the internal reader