Previous Topic: APPC Session SecurityNext Topic: APPC User Security

z/OS SecurityLU6.2 SecurityCICSAPPC Link Security

APPC Link Security

Link security further restricts the resources that a user can access depending on the remote system from which they are accessed. The practical effect of link security is to prevent a remote user from attaching a transaction or accessing a resource for which the link user ID has no authority. Link security works by signing on each end of a session to RACF when the session is bound. Each half-session then has the access requirements of the link user ID, whose user profile is applied when a transaction is attached and whenever that transaction accesses a protected resource. Link security can be associated with a connection or a session, according to whether you want to control the link security for each group of sessions separately.

To define link security for a connection as a whole, specify the Securityname parameter in the connection definition. To define link security for individual groups or sessions within a connection, specify the user ID in the session definition as a user identifier.

The connection or session definition must be associated with a RACF user profile. This user profile must have access to any protected resources to which the inbound transaction needs access.

CICS log in the user ID specified in a similar way to that used for a CICS terminal user. If the logon fails, the logon failure message is sent to the master terminal destination, and the link is given the security of the default user in the receiving system; that is, the receiving system is able to access only those resources to which the default user has access.

If both user ID and security name are specified, user ID is the effective RACF user identifier for the set of sessions that are defined by that particular session definition. For other session definitions for the same connection that do not specify user ID, security name is used.

If there is no user ID for link security (neither user ID nor security name was specified), the user profile for the group or session defaults to the user ID defined for that of the default user. Changing the link authority requires the release and re-acquisition of the link.