CICS Resource Class

Specific Control Options › FACILITY—System Facility Processing › CICS Resource Class

CICS Resource Class

The following CICS resource classes can be used with the BYPADD, BYPREM, PROTADD, and PROTREM suboptions.

Note: This list is intended for a limited number of resources and should not be used as an alternative for the ALL Record.

CEMT=action

Contains Extended Master Terminal Command actions, valid actions are; ADDTO, INQUIRE, PERFORM, REMOVE, and SET. For example, to bypass all CEMT INQUIRE commands, enter:

TSS MODIFY FACILITY(CICSTEST=BYPADD(CEMT=INQUIRE))

DCT=tdq

Contains transient data entries

DSNAME=name

Contains the File Control Table entries associated with the data set. The DSNCHECK= suboption must be set to YES.

FCT=ddname

Contains File Control Table entries. The DSNCHECK= suboption must be set to NO.

JCT=name

Contains Journal Control Table entries.

LOCKTIME=(list)

The elements in the list may be transactions or terminals:

TSS MODIFY (fac(xxxxxxxx=PROTADD(LOCKTIME=yyyy)))

xxxxxxxx

CICS facility name.

yyyy

Transaction or Terminal. For transactions, supply the complete transaction ID. For terminals, the resource should be specified according to the access method:

VTAM=Netname
TCAM=Terminal ID
BTAM=Terminal ID
PCLOCK=YES|NO

Specifies whether LOCKTIME is pseudo‑conversational or conversational. YES equals pseudo‑conversational. Recycling of CICS is required when this control option is changed.

PCT=tranid

Contains interval control started transaction identifiers that are not checked by CA‑Top Secret.

PPT=name

Contains program processing control entries that are not checked by CA‑Top Secret.

PSB=name

Contains PSB entries.

SPI=action

Contains a list of CICS command level application programming interface commands. Valid commands are: EXEC CICS SET and EXEC CICS INQUIRE. For example, to protect all EXEC CICS SET commands, enter:

TSS MODIFY FACILITY(CICSTEST=PROTADD(SPI=SET))

To bypass all EXEC CICS INQUIRE commands, except SYSTEM, enter:

TSS MODIFY FACILITY(CICSTEST=BYPADD(SPI=INQUIRE))

To bypass EXEC CICS INQUIRE SYSTEM, also enter:

TSS MODIFY FACILITY(CICSTEST=BYPADD(CEMT=INQUIRE))

SYSID=sysid

Contains system identification names of the CICS systems. SYSID= is only applicable to CICS 3.3 and below.

Note: If EXTSEC=NO is coded in the DFHSIT parameter or the FACMATRX suboption, you must add SYSID to the bypass list.

TCT=(list)

Contains a list of terminal entries.

VTAM=Netname, TCAM=Terminal ID and BTAM=Terminal ID

TRAN=tranid

Contains transaction identifiers that are not checked by CA‑Top Secret.

TRANID=tranid

Contains transaction identifiers that will bypass all security checking for the transaction. When issuing a TSS MODIFY(FACILITY(CICS facname)) command, the bypass list for TRANID will contain '...'. These periods represent CICS internal transactions whose names contain unprintable characters. These entries cannot be removed.

TRANID is different from TRAN in that TRANID uses all types of security checking (OTRAN, LCF, file, program, locktime). TRAN only uses OTRAN or LCF security checking.

TSS MODIFY FACILITY(CICS=BYPADD(TRANID=HELP))

Note: TRANID=TS should not be removed from the CICS Bypass List. It is always needed for LOCK/UNLOCK. Security for the TSS transaction is controlled entirely through administrative authorities; not through transaction protection.

TRANID overrides TRAN in the FACILITY BYPASS LIST.

TST=tsq

Contains Temporary Storage entries.

DSNCHECK=YES|NO

Specifies whether individual data set names or File Control Table entries are checked. XFCT=YES is required for DSNAME checking if running CICS 3.3 or below. See the FACMATRX in the CICS SIT/PCT Override FACILITY Settings section. If DSNCHECK is specified, then RES must also be set.

CICS SIT/PCT Override FACILITY Settings

CICS SIT/PCT settings defined to CICS might be overridden by FACILITY settings as described next.

FACMATRX=YES|NO

Specifies whether CA Top Secret is to override definitions defined to CICS through table assemblies or the CSD file.

YES: CA Top Secret facility settings override CICS definitions.
NO: (Default) CICS definitions override conflicting facility settings.

EXTSEC=

Indicates whether CA Top Secret security is active or inactive.

YES

CA Top Secret security is invoked for this region.

NO

One of the following:

For CICs 3.3 and below, CA Top Secret security is inactive, but still present. CA Top Secret is running in an inactive state. An entry has to be made to the SYSID bypass list if you are running in any mode except DORMANT.
For CICS 4.1 and above, CA Top Secret security is not present. No SYSID bypass list is necessary to inactivate security with this release.
CA‑ENF is invoked together with CA Top Secret to process the security parameters set for your CICS region. We recommend the use of the facility matrix (FACMATRX=YES) for setting these security parameters, since this centralizes security functions in data sets controlled by the security administrator. The alternative (FACMATRX=NO) distributes the responsibility to the SIT assembly or to the SIT override data set (if used). When external security is enabled (SIT SEC=YES or FACMATRX EXTSEC=YES), depending upon your security implementation, you might choose to selectively disable external security which you do not employ by setting off one or more of the "XPARMS" below; setting such parameters OFF prevents CICS from generating security queries, and can reduce security file I/O searching for resources and permissions which do not exist. For information about disabling CAIENF calls when using XPARMS, see the Implementation: CICS Guide.

XAPPC=

Indicates whether session security can be used.

YES: Session security can be used.
NO: Session security cannot be used. Only the BIND password (defined to CICS for the APPC connection) is checked.

XCMD=

Indicates whether EXEC CICS commands are checked by CA Top Secret.

YES: All SPI commands are checked by CA Top Secret.
NO: All SPI commands are not checked by CA Top Secret.

SPI commands include both CEMT commands and EXEC CICS SPI commands from an application program.

XDB2=YES|NO

Enables/disables secondary resource checking for resource class CTSDB2 to substitute for CICS/DB2 keywords:

DB2CONN
DB2ENTRY
DB2TRANS

During initialization, for CTS 1.2 and above, CICS activates a profile for class CTSDB2. CICS performs security checking by substituting CTSDB2 for the keyword. When XDB2=YES, and FACMATRX=YES, the administrator is also expected to provide security for IBMFAC(DFHDB2.) as documented by IBM in the CICS RACF Security Guide.

XDCT=

Indicates whether transient data entries are checked by CA Top Secret.

YES: Transient data entries for this region are checked by CA Top Secret.
NO: Transient data entries for the region are not checked by CA Top Secret.

XEJB=

Specifies whether support of security roles is enabled.

YES

CICS Support for security roles is enabled:

When an application invokes a method of an enterprise bean, CICS calls the external security manager to verify that the userid associated with the transaction is defined in at least one of the security roles associated with the method.

When an application invokes the following method:

	isCallerInRole()

CICS calls the external security manager to determined whether the userid associated with the transaction is defined in the role specified on the method call.

NO

CICS support for security roles is disabled. CICS does not perform enterprise bean method level checks, allowing any userid to invoke any enterprise bean method. The following method always returns a value of TRUE:

	isCallerInRole()

Note: To enable security role support, you must also specify SEC=YES (when FACMATRX=NO) or EXTSEC=YES (when FACMATRX=YES). A change to XEJB or EJBRPRFX requires the CICS region to be recycled in order to implement.

XFCT=

Indicates whether file control entries for the region are checked by CA Top Secret.

YES: File control entries for this region are checked by CA Top Secret. Required for DSNAME checking.
NO: File control entries for this region are not checked by CA Top Secret. Deactivates DSNAME checking.

XJCT=

Indicates whether journal entries are checked for this region by CA Top Secret.

YES: Journal entries for this region are checked by CA Top Secret.
NO: Journal entries for this region are not checked by CA Top Secret.

XPCT=

Indicates whether EXEC‑started transactions for this region are checked by CA Top Secret.

YES: EXEC‑started transactions for this region are checked by CA Top Secret.
NO: EXEC‑started transactions for this region are not checked by CA Top Secret.

XPPT=

Indicates whether program entries for this region are checked by CA Top Secret.

YES: Program entries for this region are checked by CA Top Secret.
NO: Program entries for this region are not checked by CA Top Secret.

XPSB=

Indicates whether PSB entries for this region are checked by CA Top Secret.

YES: PSB entries for this region are checked by CA Top Secret.
NO: PSB entries for this region are not checked by CA Top Secret.

XTRAN=

Indicates whether attached transaction entries for this region are checked by CA Top Secret.

YES: Attached transaction entries for this region are checked by CA Top Secret
NO: Attached transaction entries for this region are not checked by CA Top Secret.

XTST=

Indicates whether temporary storage entries for this region are check by CA Top Secret.

YES: Temporary storage entries for this region are checked by CA Top Secret.
NO: Temporary storage entries for this region are not checked by CA Top Secret.

XUSER=

Indicates whether surrogate user checking is performed by CA Top Secret.

YES: Surrogate user checking is performed by CA Top Secret.
NO: Surrogate user checking is not performed by CA Top Secret.

EJBRPRFX=16‑byte‑value

Enables the use of EJB Role Prefixing (for CTS 2.2 and above). This facility suboption specifies a 16‑byte‑value as the prefix that is used to qualify the security role defined in an enterprise bean's deployment descriptor. The prefix is applied to the security role when:

A role is defined to an external security manager. CICS calls the external security manager to perform method authorization checks
An application invokes the following method:

isCallerInRole()

You can specify a prefix of up to 16 characters. The prefix must not contain a period (.) character. If you specify a prefix that contains lowercase characters, blanks, or punctuation characters, you must enclose it in apostrophes. If the prefix contains an apostrophe, code two successive apostrophes to represent it.

The EJBRPRFX facility control sub‑option overrides the CTS 2.2 SIT parameter EJBROLEPRFX when FACMATRX=YES. CA Top Secret does not support the use of mixed case with EJBRPRFX. If FACMATRX=YES and EJBRPRFX is not modified, CA Top Secret will interpret EJBROLEPRFX as the null string. You might implement mixed case security role support if you specify EJBROLEPRFX in the CICS SIT, and set FACMATRX=NO.

The EJBROLEPRFX parameter is ignored if security role support is not enabled. To enable security role support you must specify SEC=YES and XEJB=YES. If there is a change to security role support while a CICS region is executing, a recycle of the region is required in order to implement the change.

PCTCMDSEC=HONOR|OVERRIDE

Specifies whether CA Top Secret will honor the SIT parameter CMDSEC=. PCTCMDSEC= is only applicable to CICS 3.1.1 and above.

OVERRIDE: (Default) CA Top Secret will not honor the PCT CMDSEC= parameter and will force a security call.
HONOR: CA Top Secret will honor the SIT parameter CMDSEC=.

PCTEXTSEC=HONOR|OVERRIDE

Specifies whether CA Top Secret will honor the PCT parameters EXTSEC= and RSLC=. PCTEXTSEC= is only applicable to CICS 3.1 and below.

OVERRIDE: (Default) CA Top Secret will not honor the PCT EXTSEC= and RSLC= parameters and will force a security call.
HONOR: CA Top Secret will honor the PCT parameters EXTSEC= and RSLC=.

PCTRESSEC=HONOR|OVERRIDE

Specifies whether CA Top Secret will honor the SIT parameter RESSEC=. PCTRESSEC= is only applicable to CICS 4.1 and above.

OVERRIDE: (Default) CA Top Secret will not honor the SIT RESSEC= parameter and will force a security call.
HONOR: CA Top Secret will honor the SIT parameter RESSEC=.