We have a number of CICS regions that are currently running under CICS 2.1.2 with internal security. There is a...
single CICS userid used for all regions. We are now going to migrate to Transaction Server and external security. I'm thinking that from a security standpoint, it is better to have a unique CICS userid assigned to each region as opposed to a single one shared across all of them. What are your thoughts on this matter?
You have left it a long time to move away from 2.1.2 (a CICS release of which I had a lot to do with the coding of!) and is now unsupported. I strongly recommend going straight to CTS 2.2 and not stopping off on the way at CTS 1.3 - there is nothing particularily interesting to you about the Java Support in CTS 2.2, so there is absolutlely no benefit in pausing along the way: the main item of concern will be to implement the logger (and this is equally painful to get going in either release).
You will need two logonids: one for the StartedTask/Job that the CICS Region will be using (which will have to be OE enabled) and another one to act as the default & non-terminal userid used by CICS Transactions.
I don't think that there is any benefit at all in having different JCL logonids for your CICS regions.
There is a bit of a stronger case in having different default userids INSIDE the CICS regions, but I'm not really too keen on that either. I say this because these default userids will want - bassically - the same level of authority wherever they run. Which means it's going to be a waste of time ensuring that a change to one regions-default-access gets done/migrated to all the others. This is especially so if the CICS regions are being cloaned (multiple AORs) for performance or integrity reasons.
On the other hand - if you have lots of AORs that are doing logically different things, it may be better to have distinct default userids.
Dig Deeper on IBM system z and mainframe systems
Related Q&A from Robert Crawford
For better mainframe capacity planning, how do I convert CPU hours to MIPS? And is there a way to calculate the relationship between MIPS and MSUs? Continue Reading
I have two years of experience in mainframe technology, currently working as a mainframe developer. I want to change to Java technology. Continue Reading
I want to replicate DB2 from the mainframe to an AIX box since it's cheaper and the copy can be used for testing. Is this possible? Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.