With external security in place and a user is accessing Datacom through CICS, is access granted at the CICS level or is the user sign on information passed to RACF to determine if the user has access to the Datacom table? In other words, do we grant access to the CICS region or to the users in the region?

Release : 15.1

The security controls for Datacom External Security are always user-specific, and based on the path to access the data or the function needed to manage the environment. Users can be granted or denied access to use SQL, DBUTLTY, DD functions, etc. Here, CICS is not very different.

As you can see in the Security Overview section of the documentation, there are a certain set of controls for CICS. First, though is a requirement that the CICS SIT parameters (the startup parameters) have EXTSEC=YES to use RACF. Then, in the MUF Startup Options for SECURITY, there are ten different paths available for control, and of these, there are four that control specific CICS types of access. You can see this in the section Using the DTSYSTEM. The only reason that access might be granted to other than a user is if the CICS region submits its own JCL using the default CICS userid. In this case, that userid would need access just like a human user.

Now for those for paths. They are:

• SCI - CICS SQL requests path
• SCQ - CICS SQL for Dataquery requests path
• RCI - CICS non-SQL requests path
• RCQ - CICS non-SQL for Dataquery requests path

Therefore, in your MUF Startup Option SECURITY, you would have 

SECURITY DBxxSCI,DBxxSCQ,DBxxRCI,DBxxRCQ

and replace xx with the proper table class you want to use.

As always, please contact Broadcom support for Datacom if you have further questions.