We have a number of CICS regions that are currently running under CICS 2.1.2 with internal security. There is a
single CICS userid used for all regions. We are now going to migrate to Transaction Server and external security. I'm thinking that from a security standpoint, it is better to have a unique CICS userid assigned to each region as opposed to a single one shared across all of them. What are your thoughts on this matter?
You have left it a long time to move away from 2.1.2 (a CICS release of which I had a lot to do with the coding of!) and is now unsupported. I strongly recommend going straight to CTS 2.2 and not stopping off on the way at CTS 1.3 - there is nothing particularily interesting to you about the Java Support in CTS 2.2, so there is absolutlely no benefit in pausing along the way: the main item of concern will be to implement the logger (and this is equally painful to get going in either release).
You will need two logonids: one for the StartedTask/Job that the CICS Region will be using (which will have to be OE enabled) and another one to act as the default & non-terminal userid used by CICS Transactions.
I don't think that there is any benefit at all in having different JCL logonids for your CICS regions.
There is a bit of a stronger case in having different default userids INSIDE the CICS regions, but I'm not really too keen on that either. I say this because these default userids will want - bassically - the same level of authority wherever they run. Which means it's going to be a waste of time ensuring that a change to one regions-default-access gets done/migrated to all the others. This is especially so if the CICS regions are being cloaned (multiple AORs) for performance or integrity reasons.
On the other hand - if you have lots of AORs that are doing logically different things, it may be better to have distinct default userids.
Dig deeper on Mainframe operating systems and management
Related Q&A from Robert Crawford
With 3270 bridge, you can't stack input messages into one structure. The bridge can't process them all at once. It takes a little more work.continue reading
CICS expert Robert Crawford offers advice on determining the connection between CICS transactions and MQ Queue name.continue reading
CICS expert Robert Crawford discusses if a program can use IXLLIST macros in CICS when IXLLIST are APF.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.