ACF2 for CICS, unable to secure CATA or CATD transactions.
Article ID: 202109
Updated On:
Products
ACF2
ACF2 - DB2 Option
ACF2 for zVM
ACF2 - z/OS
ACF2 - MISC
LDAP SERVER FOR Z/OS
PAM CLIENT FOR LINUX ON MAINFRAME
WEB ADMINISTRATOR FOR TOP SECRET
Issue/Introduction
Trying to prevent users from accidentally issuing CAT* transactions since they are only supposed to be used by the region and not by users, so we attempted to add the following:
PROTLIST RESOURCE=TRANS,ENTRY=CAT*
Only allow the primary ID of the CICS region to the CAT* transactions.
This setup works on preventing users from starting CATR transaction but it doesn't work for CATA or CATD.
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
ACF2 as an additional layer of security wants to ensure that CICS transactions designated as "Category 1", which are "Transactions that are never associated with a terminal-that is, they are for CICS internal use only, and should not be invoked from a user terminal." are not executed by terminal users. If an attempt is made to run a CAT1 transaction within a terminal transaction, an AKC3 abend is issued, before any resource accesses are validated.
Feedback
Yes
No
Powered by
