CICS BAC security

CICS® BAC security provides complete security for all CICS BAC resources, with the flexibility that enables you to permit access as required by different users. User IDs can be set up with one level of authority in one CICS region and different levels of authority in other CICS regions. Additionally, you can restrict some users to CICS BAC administrative functions, such as the creation, modification, and deletion of CICS control file objects while other users are able only to submit jobs that execute commands against those objects. Additional granularity exists to further restrict users to certain types of objects, such as files and programs, or to specific objects, such as a payroll file.

CICS BAC security is implemented through the RACROUTE macro of the MVS system authorization facility (SAF) interface to route authorization requests to an external security manager (ESM), such as RACF®. For convenience, this chapter uses RACF terminology when referring to security objects, such as profiles and resource classes, and refers to RACF as the ESM. If you are using a different ESM, substitute the corresponding terminology that is used by your ESM.

When you attempt to access a CICS BAC resource, CICS BAC builds a unique security resource name for the object you are trying to access. Using this security resource name, CICS BAC issues a RACROUTE call to verify your authority to access the resource, specifying the FACILITY general resource class. To differentiate CICS BAC resources from other resources within the FACILITY class, all CICS BAC resource names begin with $CBK (see CICS BAC resource names).

CICS BAC denies access to a resource if the RACROUTE return code indicates that the user is not authorized to access the resource. CICS BAC allows access if the RACROUTE return code indicates that the user is authorized to access the resource or if it indicates that the resource is not protected.

CICS BAC also supports CICS EXCI security; see CICS BAC support for CICS EXCI security.