We have a number of CICS regions that are currently running under CICS 2.1.2 with internal security. There is a single CICS userid used for all regions. We are now going to migrate to Transaction Server and external security. I'm thinking that from a security standpoint, it is better to have a unique CICS userid assigned to each region as opposed to a single one shared across all of them. What are your thoughts on this matter?
You have left it a long time to move away from 2.1.2 (a CICS release of which I had a lot to do with the coding of!) and is now unsupported. I strongly recommend going straight to CTS 2.2 and not stopping off on the way at CTS 1.3 - there is nothing particularily interesting to you about the Java Support in CTS 2.2, so there is absolutlely no benefit in pausing along the way: the main item of concern will be to implement the logger (and this is equally painful to get going in either release).
You will need two logonids: one for the StartedTask/Job that the CICS Region will be using (which will have to be OE enabled) and another one to act as the default & non-terminal userid used by CICS Transactions.
I don't think that there is any benefit at all in having different JCL logonids for your CICS regions.
There is a bit of a stronger case in having different default userids INSIDE the CICS regions, but I'm not really too keen on that either. I say this because these default userids will want - bassically - the same level of authority wherever they run. Which means it's going to be a waste of time ensuring that a change to one regions-default-access gets done/migrated to all the others. This is especially so if the CICS regions are being cloaned (multiple AORs) for performance or integrity reasons.
On the other hand - if you have lots of AORs that are doing logically different things, it may be better to have distinct default userids.
Dig deeper on Mainframe operating systems and management
Related Q&A from Robert Crawford
The mainframe is IT's original cloud, and there are still ways to float cloud operations onto big iron today. But is it pragmatic?continue reading
With 3270 bridge, you can't stack input messages into one structure. The bridge can't process them all at once. It takes a little more work.continue reading
CICS expert Robert Crawford offers advice on determining the connection between CICS transactions and MQ Queue name.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.