search cancel

ACF2 for CICS, unable to secure CATA or CATD transactions.

book

Article ID: 202109

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Trying to prevent users from accidentally issuing CAT* transactions since they are only supposed to be used by the region and not by users, so we attempted to add the following: 

PROTLIST RESOURCE=TRANS,ENTRY=CAT*

Only allow the primary ID of the CICS region to the CAT* transactions.

This setup works on preventing users from starting CATR transaction but it doesn't work for CATA or CATD.

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

ACF2 as an additional layer of security wants to ensure that CICS transactions designated as "Category 1", which are "Transactions that are never associated with a terminal-that is, they are for CICS internal use only, and should not be invoked from a user terminal." are not executed by terminal users. If an attempt is made to run a CAT1 transaction within a terminal transaction, an AKC3 abend is issued, before any resource accesses are validated.