An EXCI connection defined in CICS with ATTACHSEC = LOCAL allows users to access the system even though they don't have access to that region.

book

Article ID: 52547

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction

Description:

An EXCI connection that is defined in CICS with ATTACHSEC = LOCAL allows users who are not permitted access to the region to access the system as though they did have the access. If the connection is defined with ATTACHSEC = IDENTIFY, the users are not permitted to sign on to the CICS region. Does this mean that the CICS connections must be defined with ATTACHSEC = IDENTIFY for ACF2 to validate them?

Solution:

The CICS connection must specify ATTACHSEC=IDENTIFY to get an ACF2 validation of the signon. ATTACHSEC=LOCAL means there is no signon information available, so CICS bypasses signon processing and ACF2/CICS will assign the MRO default id to the connection. Since ACF2/CICS hooks into the signon processing you must have ATTACHSEC=IDENTIFY to initiate signon in CICS and have signon validation by ACF2/CICS.

Environment

Release:
Component: ACF2MS