Enabling CICS BAC resource security

By default, CICS® BAC security mechanisms permit all users full access to CICS BAC resources unless you take steps to protect them by defining the required security profiles in the RACF database. This is because of the way the system authorization facility (SAF) responds if it cannot find the security profile for a specified resource. If SAF finds that a security profile is not found it neither grants nor refuses the access request, and in this case CICS BAC allows the request. Thus, to ensure security is fully enabled, define the required profiles to cover all your CICS BAC resources.

To ensure that no one can have access by default, define one generic profile to protect all resources, and then give specific access to resources as required. For example, use the following command to protect everything:

With a universal access (UACC) of NONE, you deny access to all CICS BAC resource names that are not covered by a more explicit profile.