Problem solve Get help with specific problems with your technologies, process and projects.

CICS command security

I'm running z/OS 1.4 and CICS TS 2.2 for CICS. Is there any way to monitor who used CEMT and command (SET,Perform) in CICS?

I'm running z/OS 1.4 and CICS TS 2.2 for CICS. Is there any way to monitor who used CEMT and command (SET,Perform) in CICS?

You indicated that you specified SEC=YES, XTRAN=YES, and XCMD=YES in the CICS initialization parameters. You didn't describe the problem you encountered, but I'll assume it was related to the CICS command security mechanism that was enabled by specifying XCMD=YES.

You didn't identify any profiles you defined in the RACF supplied resource classes used for CICS command security, member class CCICSCMD and group class VCICSCMD. The resource names that you may define as member class profiles or as member names within group class profiles are documented in Table 12 within Chapter 8 of the CICS RACF Security Guide. The manual number for the CICS TS V2,R2 version of this book is SC34-6011-00.

For any profiles you have defined in the CCICSCMD or VCICSCMD classes, you can cause RACF to create an SMF TYPE 80 record for any CICS SET, PERFORM, CREATE, or DISCARD commands by issuing the following commands for each of the existing profiles:


Whether or not you have defined profiles in the CCICSCMD or VCICSCMD classes to cover all of the documented resource names, it's desirable to define the following profile in the CCICSCMD resource class:


This profile will allow any EXEC CICS INQUIRE or COLLECT commands to execute successfully for any resource names not covered by one of the other profiles, but will cause any request to change the status of any of CICS resource types not covered by other profiles to fail with a NOTAUTH response and produce both an ICH408I message and an SMF TYPE 80 record for the failed attempt to execute an EXEC CICS SET, PERFORM, CREATE, or DISCARD command.

If you are also using any of the additional pairs of RACF resource classes for CICS programs, files, TD queues, TS queues, journals, or started transactions, specified by the XPPT, XFCT, XDCT, XTST, XJCT, or XPCT initialization parameters, you may also encounter security problems with using supplied transaction definition for CEMT in RDO group DFHOPER as this definition specifies RESSEC(YES) as well as CMDSEC(YES).

This definition for CEMT will require the user to have access to the resource security profile covering the resource name as well as access to the command security profile covering the type of resource, at the required level, to allow commands to be processed.

You can create an alternate definition for CEMT with RESSEC(NO) by copying the supplied definition to an RDO group of your choosing and then altering the RESSEC option. If the DFHOPER group is included in the lists of groups installed in CICS during COLD start processing, ensure that the group containing your alternate definition for CEMT follows the DFHOPER group so that your definition will override the supplied definition for CEMT.

Editor's note: Do you agree with this expert's response? If you have more to share, post it in one of our [email protected]/search390>discussion forums.

Dig Deeper on IBM system z and mainframe systems