Non-terminal transaction security

CICS® can protect resources used in non-terminal transactions against unauthorized use.

These transactions are of three types:

Transactions that are started by a START command and that do not specify a terminal ID.
Transactions that are started, without a terminal, as a result of the trigger level being reached for an intrapartition transient data queue.
The CICS internal transaction (CPLT), which runs during CICS startup, to execute programs specified in the program list table (PLT). This transaction executes both first and second phases of PLTs.

Also, resource security checking can now be carried out for PLT programs that are run during CICS shutdown. PLT shutdown programs execute as part of the transaction that requests the shutdown, and therefore run under the authorization of the user issuing the shutdown command.

The START command handles security for non-terminal transactions started by the START command.

A surrogate user who is authorized to attach a transaction for another user, or cause it to be attached, or who inherits all the resource access authorizations for that transaction, can act for the user.

CICS can issue up to three surrogate user security checks on a single START command, depending on the circumstances:

The userid of the transaction that issues the START command, if USERID is specified
The userid of the CEDF transaction, if the transaction that issues the START command is being run in CEDF dual-screen mode
The CICS region userid of the remote system, if the START command is function shipped to another CICS system and link security is in effect.

A separate surrogate user security check is done for each of these userids, as required, before the transaction is attached.

For programming information about the USERID option, USERIDERR condition, and INVREQ, and NOTAUTH conditions, see CICS API commands.

dfhp3_concepts_transsecurity.html | Timestamp icon

Last updated: Thursday, 27 June 2019