Joe, I'm having trouble with part of your answer. Let's review IBM's statements about CICS-supplied transactions in security category 3: a) "....category 3 transactions are exempt from any security check, and CICS permits any terminal user to initiate these transactions." b) "These transactions should be defined to RACF...this definition does not affect task attach-time processing...." My questions:
1) You say these two statements "are basically saying all users should have access to these transactions"—and I agree—"and should be authorized for all resources" (where by "all resources" you mean "all cat-3 transactions", I think.) But statement a) seems to say, and to say very plainly, that in fact cat-3 transactions not should be authorized but are authorized—"exempt from any security check". I interpret this to mean CICS doesn't do a SAF call for them. If so, it doesn't matter whether I permit users to them or not. Do you think I'm misreading statement a)?
2) Ok, thanks, I think I get QUERY SECURITY now. And it helps me understand why I should "define" cat-3 transactions to TSS even though no permissions are necessary or appropriate.
3) I ask for confirmation that CICS doesn't check security for cat-3 transactions, and you reply "There is security checking done in CICS like transaction and program security, but these transaction should be allowed to access everything the[y] need and not stopped by security." I think that's the opposite of IBM's statement that "category 3 transactions are exempt from any security check". Could you reread that? If you still think IBM got it wrong, tell me why.
4) I ask whether "defining" cat-3 transactions means simply creating an owner for them; you reply "These Category 1, 2 and 3 transactions are on the FACILITY bypass list by default so you don't have to do anything. By being on the bypass list, the transactions will be authorized for everything and not receive any security violations." Now there you got confused, I think, because whatever a bypass list is, it cannot be true that cat-1 and cat-2 transactions are on it; those must not be permitted to all users. According to IBM, cat-1 transactions are never to be issued by a terminal, and of course cat-2 transactions are powerful and must be restricted to just a few users.
So let's assume you really were thinking about cat-3 transactions only, the ones that IBM says are to be permitted to all users. You say they're on a "FACILITY bypass list by default", so I don't have to do anything. Great; but what's a FACILITY bypass list? I take it it's something to be found in TSS' definition of the CICS facility, or is it in the CICS startup parms, or what? Where do I look to confirm it, in other words, please?