I'm going through IBM's documentation on the transactions that come with CICS. I see they come in three security categories: 1) those that should never be invoked by a user (I gather they're for CICS' use only), 2) the ordinary kind, and 3) those that are always available to all users. The description of this last category—see this link to IBM Knowledge Center, for example—starts out "All CICS® terminal users, whether they are signed on or not, require access to transactions in this category. For this reason, category 3 transactions are exempt from any security check, and CICS permits any terminal user to initiate these transactions."
Ok, that sounds to me as though CICS isn't issuing a SAF call for any of these transactions, so I can go through our TSS database and remove any permissions to them. But there's also this a sentence or two later: "These transactions should be defined to RACF; although this definition does not affect task attach-time processing, it is required to support the QUERY SECURITY command."
1) How do I understand these two statements, taken together?
2) What is the QUERY SECURITY command? (I'm not any kind of CICS SME.)
3) Is my surmise correct that CICS doesn't query TSS before running these transactions?
4) If I should "define" these transactions to TSS, does that consist simply of setting up an owner for each one?
In shorty, they are basically saying all users should have access to these transactions and should be authorized for all resources.
Its a CICS command level call to see if a user is authorized for a resource.
There is security checking done in CICS like transaction and program security, but these transaction should be allowed to access everything the need and not stopped by security.
These Category 1, 2 and 3 transactions are on the FACILITY bypass list by default so you don't have to do anything. By being on the bypass list, the transactions will be authorized for everything and not receive any security violations.
Joseph Porto - CA Level 1 Support
Joe, I'm having trouble with part of your answer. Let's review IBM's statements about CICS-supplied transactions in security category 3: a) "....category 3 transactions are exempt from any security check, and CICS permits any terminal user to initiate these transactions." b) "These transactions should be defined to RACF...this definition does not affect task attach-time processing...." My questions:
1) You say these two statements "are basically saying all users should have access to these transactions"—and I agree—"and should be authorized for all resources" (where by "all resources" you mean "all cat-3 transactions", I think.) But statement a) seems to say, and to say very plainly, that in fact cat-3 transactions not should be authorized but are authorized—"exempt from any security check". I interpret this to mean CICS doesn't do a SAF call for them. If so, it doesn't matter whether I permit users to them or not. Do you think I'm misreading statement a)?
2) Ok, thanks, I think I get QUERY SECURITY now. And it helps me understand why I should "define" cat-3 transactions to TSS even though no permissions are necessary or appropriate.
3) I ask for confirmation that CICS doesn't check security for cat-3 transactions, and you reply "There is security checking done in CICS like transaction and program security, but these transaction should be allowed to access everything the[y] need and not stopped by security." I think that's the opposite of IBM's statement that "category 3 transactions are exempt from any security check". Could you reread that? If you still think IBM got it wrong, tell me why.
4) I ask whether "defining" cat-3 transactions means simply creating an owner for them; you reply "These Category 1, 2 and 3 transactions are on the FACILITY bypass list by default so you don't have to do anything. By being on the bypass list, the transactions will be authorized for everything and not receive any security violations." Now there you got confused, I think, because whatever a bypass list is, it cannot be true that cat-1 and cat-2 transactions are on it; those must not be permitted to all users. According to IBM, cat-1 transactions are never to be issued by a terminal, and of course cat-2 transactions are powerful and must be restricted to just a few users.
So let's assume you really were thinking about cat-3 transactions only, the ones that IBM says are to be permitted to all users. You say they're on a "FACILITY bypass list by default", so I don't have to do anything. Great; but what's a FACILITY bypass list? I take it it's something to be found in TSS' definition of the CICS facility, or is it in the CICS startup parms, or what? Where do I look to confirm it, in other words, please?
I had made some tests with EXEC CICS QUERY SECURITY and have detected it as a security-server-independent (=CICS on-board) mean to check, whether the user is authorized to a resource (i.e. a cat-3-transaction) or not. It takes into account all types, how the resource is defined to the security server (TSS, ACF2, RACF).
It is not necessary to define the transaction to the security server, only because you want to use EXEC CICS QUERY SECURITY.
It may well be that CICS CICS QUERY SECURITY performs better than an EXEC CICS LINK to a security-server-interface-program (e.g. TSSCAI).
The "bypass list" is an additional mean (besides OTRAN and LCF) to define security for cics transactions on a facility-level. Transaction-codes contained in the bypass list of a specific cics-facility are generally permitted to all users in the cics-regions related to that facility. you can query the bypass-settings of your-cics-facility with TSS-command
MODIFY FAC(your-cics-facility=BYPLIST), and maintain it by BYPADD and BYPREM commands. A.o. see more at bypassing-security-checking-for-certain-resources/the-protect-list
Thanks, Josef. So between IBM's documentation regarding cat-3 CICS transactions, and Joe Porto's reply, and yours, and what I now see in TSS manual about the CICS bypass list (after you pointed me to it), here's my understanding—and if you see anything you disagree with, please contradict:
1) No permissions to cat-3 transactions in TSS are needed or appropriate. According to the IBM documentation, CICS itself does not do a security check on them. This is not because of TSS' bypass list; IBM was writing that about RACF, not TSS, so I take it this behavior is hard-coded into CICS itself.
2) The cat-3 CICS-supplied transactions therefore do not need to be in TSS' CICS bypass list. Nevertheless all but two of them are in the sample BYPASS listing in the r15 manual, and all but three are in the bypass listing at our installation. No harm done, however; if CICS never asks TSS about these transactions, their mention in the bypass list is a waste merely of a few bytes of RAM.
3) This thing about "defining" the transactions: Josef, you said you tested QUERY SECURITY a bit, but I'm confused about your conclusion. You write "It is not necessary to define the transaction to the security server, only because you want to use EXEC CICS QUERY SECURITY", and I take you to mean QUERY SECURITY is able to figure out users' access to (cat-3) transactions even without their being defined in TSS. I guess that makes sense; if the special status of the cat-3 transactions is hard-coded into CICS, then the CICS QUERY-SECURITY function can very reasonably be supposed to know about it.
I notice to my surprise that about 20 of the category-2 transactions are in the CICS bypass list, too. This doesn't seem right to me; the category-2 transactions are, according to IBM, imbued with special power and should not be handed out to just anyone. But I'll bring that up separately.
ad 3) I have learned and tested in the meantime, that transaction-codes, that are only in the bypass-list are invocable (without security violation), but appear in EXEC CICS QUERY SECURITY as NOTREADABLE - signalling a security violation. Thus, my first post was not correct, sorry about that upcoming confusion.
The result of EXEC CICS QUERY SECURITY corresponds to the result of TSSCAI.
It could be, that EXEC CICS QUERY SECURITY an TSSCAI end up in a RACROUTE AUTH, while the invocation of a transaction-code, which is added to the bypass list, "skips" that check. You could try a SECTRACE to verify this.
btw.: If you use bypass-lists keep in mind the difference between TRAN/TRANS and TRANID
I doubt, whether the default TSS BYPLIST correspond to up-to-date CICS-supplied Cat-3 transaction codes, maybe CICS supplied cat-3 transaction codes need not to be defined in the byplist any more? Some clearification and revision for this area would be helpful.