Skip to content
CA Top Secret® for z/OS - 16.0
Documentation powered by DocOps

FACILITY—Control System Facility Processing

Last update December 21, 2018

Valid on z/OS and z/VM.

Use the FACILITY control option to:

  • Control the processing of each system facility
  • Obtain the status of a facility

All entry methods are accepted.

Contents

This control option has the following format:

FACILITY(facility|ALL)
FACILITY(facility=subopt1<=value1>,...)
  • facility
    The full name of a single facility.

Examples: FACILITY Control Option

This example displays the status of the TSO facility:

F TSS,FACILITY(TSO)

This example updates the FACILITY option:

TSS MODIFY(FACILITY(subopt1=operand<=value><,subopt2<=value2>>...))

This example alters the BATCH facility to WARN mode and sets NOLUMSG. Note that the suboption MODE requires a value, but that the NOLUMSG suboption does not:

TSS MODIFY('FACILITY(BATCH=MODE=WARN,NOLUMSG)')

Universal Suboptions

The following suboptions are available for facilities of all types:

  • ABEND
    Resets the NOABEND suboption.
  • NOABEND
    A multiuser address space facility (CICS, IMS, CA-Roscoe) will not abend if one user in the region causes a violation. This does not imply that the ACID used to define the Facility itself is immune from security abends during startup.
    If NOABEND is set, CA Top Secret will not cancel the user's activity even if the violations exceed the violation's threshold (VTHRESH). CA Top Secret locks the user's terminal.
  • ACTIVE
    Reactivates a facility that was deactivated via the FACILITY(facility=INACT) command.
    CA Top Secret Status/Diagnostic Log listings displays “IN-USE” to indicate that a facility is active.
    For example, to allow signons to the IMSPROD facility, enter:

    FACILITY(IMSPROD=ACTIVE)
    
  • ASUBM
    Indicates that CA Top Secret-authorized job submission is being used for the given facility.
  • NOASUBM
    Resets the ASUBM suboption
  • AUDIT
    Audits all activity for users who subsequently logon to the specified facility.
    For example, to audit all user activity of a newly activated facility, enter:

    FACILITY(IMSPROD=AUDIT)
    
  • NOAUDIT
    Deactivates auditing of users who subsequently logon to the facility.
  • AUTHINIT
    Requires an application to execute APF authorized in order to execute a RACINIT or RACROUTE REQUEST=VERIFY.
  • NOAUTHINIT
    (Not recommended) Allows an application which is not APF authorized to execute a RACINIT or RACROUTE REQUEST=VERIFY. NOAUTHINIT requires that the program issuing the request must come from an APF authorized library, whether or not it is running with APF authorization. Another requirement for NOAUTHINT is that the request cannot include the PASSCHK=NO parameter.
  • DEFACID(acid)
    Assigns a default ACID used for access to the specified facility by users who do not have defined ACIDs but require access to the facility. The TSS CREATE function must be used to define this default ACID. For example, a production CICS default ACID can be defined so that users who do not require specific security requirements are governed by the blanket requirements that are defined by the default ACID.
    The DEFACID under CICS is used to satisfy an ATS signon only. In CICS3.2.1 or above, a DEFACID is not recommended and using CICS DFLTUSR is preferred. For example:

    FACILITY(TSO=DEFACID(TSODEF))
    

    Note: DEFACID is not needed for CICS 3.2 and above.

  • DEFACID(RDR*TERM)
    Indicates that CA Top Secret derives the default ACID from the terminal or batch reader name, if the userid entered at signon is not defined as an ACID, or if the batch ACID is not supplied.
    A default ACID for BATCH can be defined to handle RJE (Remote Job Entry) or NJE (Network Job Entry) job submission. If so defined, all jobs that are submitted derive a default ACID associated with the NJE or RJE node. This eliminates required JCL changes or possible viewing of passwords over the NJE or RJE lines.
    A BATCH default ACID can also be defined for jobs submitted through a card reader. This will eliminate required JCL changes that include coding of passwords on the job card.
    To establish a default ACID for RJE remotes 1, 2, and 3, the security administrator would specify the following the in the Parameter File:

    FACILITY(BATCH=DEFACID(RDR*TERM))
    

    The security administrator would then create and define ACIDS for remote readers 1, 2, and 3. CA Top Secret will use these ACIDS to derive the default ACIDS.

    TSS CREATE(RM1) DEPARTMENT(XXX)
                    FACILITY(BATCH)
                    SOURCE(RM1)
                    NAME('DEFAULT-FOR-SHOP-1')
    

    The security administrator would continue to create ACIDS for readers 2 and 3. When a default ACID is assigned, the user receives message TSS7053I.

  • DEFACID(*NONE*)
    Removes the default ACID for the facility specified. For example:

    FACILITY(BATCH=DEFACID(*NONE*))
    

    Note: DEFACID should never be used with facility TSO.

  • DORMPW
    Honors password validation in DORMANT mode when specified for a facility. A DORMANT mode user must give the correct password to log on. For details, see the WARNPW sub-option.
    Note: Message TSS7102E will only be issued for control type ACIDs.
  • NODORMPW
    Does not honor CA Top Secret password validation in DORMANT mode.
    Note: Due to changes in CICS Transaction Server for z/OS (CICS TS) password processing, a DORMANT mode user must still provide a password, even though password validation is not active.
  • DOWN=suboption
    Controls how jobs are initiated and passwords changed for a facility when CA Top Secret's address space is inactive. There are six suboptions associated with the DOWN option:
    • GLOBAL | * -- Defaults to the setting defined by the DOWN control option. An asterisk (*) has the same meaning as GLOBAL.
    • WAIT -- Waits for CA Top Secret to be restarted.
    • BYPASS -- Bypasses security checking, does not invoke CA Top Secret until it is restarted.
    • FAIL -- Fails the request
    • NORMAL -- Reverts to native security (if any) until CA Top Secret is restarted. Overrides the global DOWN option for the particular facility.
  • EODINIT
    Indicates that a RACINIT can be performed for the facility after a TSS ZEOD has been issued. Required for JES and Console facilities.
  • NOEODINIT
    Indicates that a RACINIT cannot be performed for the facility after a TSS ZEOD has been issued.
  • ID=
    Equals one or two alphanumeric characters that represents the facility for reporting purposes. This value is predefined in the Facilities Matrix Table and should not be changed unless defining or renaming a facility.
  • IJU
    CA Top Secret inserts USER= and PASSWORD= into the JCL.
  • NOIJU
    CA Top Secret will not insert USER= or PASSWORD= into the JCL. Under the FTP facility, specify NOIJU to ensure FTP userid ACID is propagated.
  • INACT
    Deactivates ability to sign on to the facility specified. Active users will continue normally. For example, FACILITY(IMS=INACT) prevents users from signing on to IMS.
  • INSTDATA
    Allows installation data to be stored within a region of the specified facility.
    For example:

    FACILITY(TSO=INSTDATA)
    
  • NOINSTDATA
    Prohibits storing of installation data in a facility region. Usually done to conserve space in large user regions.
  • IN-USE
    Indicates that the facility definition has been updated. It is used to determine if the facility should be displayed as a result of a TSS MODIFY, FACILITY(ALL) or a TSS MODIFY, STATUS command. FACILITIES are marked as IN-USE as soon as a user signs on to them. Although it cannot be set directly, it is set by changing any option of the facility, through the PARMFILE or via a TSS MODIFY command. IN-USE is turned on even if the option is set to its default value.
  • KEY=n
    Can be set to equal the TCB protect key that the facility uses for storage.
    Default: 8
  • LCFCMD
    Specifies that all LCF (Limited Command Facility) associated messages will refer to “Commands” in their text.
  • LCFTRANS
    Specifies that all LCF-associated messages will refer to “Transactions” in their text.
  • LOCKTIME=n
    Assigns the amount of time after which a terminal connected to a specific facility will lock, if CA Top Secret does not detect activity. Facility specific locktimes are overridden by a user's or profile's locktime.
    The following example indicates that terminals logged on to CICSPROD will lock if CA Top Secret does not detect activity after five minutes.

    FACILITY(CICSPROD=LOCKTIME=5)
    
  • LOG(log,log...)
    LOG indicates what types of security events CA Top Secret will record, and where it will record them.
    The LOG option allows this to be done for all facilities (global) while the LOG suboption allows LOG options to be specified for each facility. Facility-specific LOG options entered after any global LOG option will override the global option.
    The security administrator might use the LOG suboption in one of three ways:

    FACILITY(fac=LOG(ACTIVITY,ACCESS,SMF,INIT,MSG))
    FACILITY(fac=LOG(NONE))
    FACILITY(fac=LOG(ALL))
    

    For example, to indicate that all events should be logged for CICS, enter:

    FACILITY(CICSPROD=LOG(ALL))
  • LTLOGOFF=NO|YES|SIGNOFF
    Lets you further enhance LOCKTIME processing by controlling user logoff after the second LOCKTIME interval expires.
    Note:
     To activate LTLOGOFF, locktime transactions must be correctly installed.
    • NO
      (Default) Does not log the user's terminal off when his/her locktime has expired for a second interval.
    • YES
      Logs the user's terminal off when his/her locktime has expired for a second interval.
    • SIGNOFF
      Signs off the user without disconnecting the terminal from CICS.
  • LUMSG
    Requests that the system display the “last-used” message when a user signs on to the specified facility. This operand only applies to USER type ACIDs running in other than DORMANT mode. USER type ACIDs will not display the “last-used” message in DORMANT mode in any case. Administrator type ACIDs will always display the “last-used” message.
    For example:

    FACILITY(CICSPROD=LUMSG)
    
  • NOLUMSG
    Terminates the last-used message display. This operand does not apply to administrator type ACIDs that will always display the “last-used” message.
  • LUUPD
    Activates the update of last used statistics for most successful signons. Automatic Terminal Signon (ATS) and preset terminal security normally do not update last used statistics. Last used statistics can be activated for these signons using OPTIONS(30) at TSS startup. This setting is the default for all facilities and should typically remain so.
  • NOLUUPD
    Prevents updating of the last -- used statistics for all successful signon events within this facility, regardless of the setting of the RACROUTE macro specification of the STAT=ASIS/NO parameter. Use NOLUUPD to reduce the amount of I/O to the security file when experiencing severe I/O performance problems.
    This sub-option does not prevent the display of the last used messages. Use the NOLUMSG option for this.
    With this sub-option set, the last used statistics are only updated when a user incurs a password violation in this facility. This event updates the password violation count and the last used statistics.
  • MAXSIGN=(nnn,RETRY|KILL)
    • nnn
      Specifies the maximum number of queued signon/signoff requests that are processed..
      Default: 10
      Range: 5 to 100.
      For example, to manually set the threshold at 15.
    	TSS MODIFY FACILITY(CICSPROD=MAXSIGN=(15))
    	TSS MODIFY FACILITY(CICSPROD=MAXSIGN=(100,RETRY))
    	TSS MODIFY FACILITY(CICSPAY=MAXSIGN=(15,KILL))
    

    Note: The parentheses around the value are required.

  • RETRY
    Signon/signoff requests that exceed the threshold are requeued. For example, in the sample command shown next, additional attempts to sign on are requeued to CICS.
    • KILL
      Abends the signon/signoff transaction. When Kill is set and the number of users attempting to sign on equals the threshold, additional attempts to sign on are failed. For example, you can restrict the number of concurrent signons to a CICS facility called CICSPAY to a threshold of 15 by using the TSS MODIFY command like this:
    When coding MAXSIGN and MAXUSER in the CA Top Secret PARM field, the MAXUSER option must be coded before MAXSIGN. If MAXUSER is not coded first, an invalid data error will occur during CA Top Secret initialization.
  • MAXUSER=nnnn
    Specifies the size of the ACID cross-reference table in any multi-user address space system. In order to increase the size of the cross-reference table, you must recycle the address space. In CICS, the MAXUSER value specified is also used to calculate necessary USCB allocation at startup.
    When a multi user region starts up, the MAXUSER XREF table is built to hold the user ID and key. This table is 16 bytes times the MAXUSER value, one 16 byte entry for each user that signs on. When a user signs off, the entry is cleared and available for reuse.
    When the XREF table fills up, message TSS0962E is issued. Users can sign on, but there is no entry added to the XREF table so if the region abends the storage for the user(s) is not freed. This can cause orphaned storage.
    Default: 3000
    Minimum: 256
  • MODE=mode
    Specifies a specific security mode for the facility:
    • DORM
    • FAIL
    • IMPL
    • WARN

    Unless FACSTOR(NO) is in effect, modes specified by facility must be entered after global or systemwide mode selections in the PARMFILE.  Thus, if the global mode is FAIL, but WARN is specified for the IMS facility, then all users initiating from IMS will operate in the WARN mode.
    If the global mode is changed via an O/S Modify command:

    F TSS,MODE(D|W|I|F)
  • MSGLC 
    Indicates that user violation messages are issued in mixed case. 

  • NOMSGLC 
    Indicates that user violation messages are issued in uppercase only

  • MULTIUSER
    Used to indicate a multiuser address space.
    A multiuser address space supports multiple users. Security is generally not handled by z/OS. The following facilities are examples of multiuser address space facilities: CICS, IMS, CA-Roscoe, and CA-IDMS.
    An example of a multiuser address space appears next.

    FACILITY(IMS1=MULTIUSER)
    
  • NAME=fffff
    Changes the base name of a facility in the Facility matrix table. Once changed, the new facility name must always be used. To change a facility name from CICSPROD to CICSPAY, enter:

    FAC(CICSPROD=NAME=CICSPAY)
    
  • NPWR
    Specifies whether a TSO or CICS facility supports password reverification. There is a default of two attempts for new passwords to be verified before complete logon sequence needs restarting. To set the threshold value for TSO and CICS, see NPWRTHRESH for details. When a user logs on to a facility that has activated the NPWR sub-option of the FACILITY control option, and enters a new password, the following message is issued:

    TSS7016A ENTER NEW PASSWORD AGAIN FOR REVERIFICATION
    

    The user then enters the new password a second time for reverification. This ensures that the user correctly enters and remembers the new password. If the user enters an incorrect reverified password, he is prompted again. After the second attempt, if the reverified new password is still incorrect, the following message is issued and an accompanying DRC(015) is returned.

    TSS7111E NEW PASSWORD CHANGE INVALID - REVERIFICATION FAILED
    
  • NONPWR
    Does not force password reverification.
  • PGM=xxx or xxxxxxxx
    Supplies all eight or just the first three characters of the program name issuing RACINIT SVC's. Online systems use RACINIT to support signon validation for individual users. This is the key to determining the (generic) facility.
  • PHRASEONLY
    Requires signons to this facility to specify a password phrase. Signons that specify a password will fail.

  • NOPHRASEONLY
    Deactivates the PHRASEONLY suboption.

  • PRFT=nnnn
    Specifies the size of the shared profile table in increments of 256 entries. A single shared profile table is allocated at the start of a region if its facility has SHRPRF set. The storage for the shared profile table is in extended private, subpool 230. Each entry in the table is 16 bytes long and contains the:
    • Profile ACID ID
    • Number of users sharing the profile
    • Profile address
    • Change indicator
    A region's shared profile table must have enough entries to hold the highest number of unique profiles that can be allocated within the region at any time. For example, a region supporting 250 users, each sharing 3 common profiles, where each user also has 1 unique profile, must have a shared profile table with no less than 253 entries.
    When the shared profile table becomes full, the address space reads new profiles into the private SECREC for newly signed on users. This causes additional security file I/O during signon and may reduce the efficiency of CA Top Secret for this address space.
    Default: 3
  • PROMPT
    FOR TSO ONLY: Makes it useless for users to enter their passwords with their userid when logging on. This helps prevent CA Top Secret from displaying passwords on the terminal. If a user enters his password and user ID at the same time, CA Top Secret will issue a warning message and lock the user's terminal for 10 seconds (the default), then prompt for the password.
  • NOPROMPT
    Deactivates the PROMPT suboption.

  • RES
    Provides for the interpretation and recognition of maskable resources within the facility. Some examples of maskable resource classes are DATASET, JESSPOOL, DB2DBASE and DB2COLL. Without RES on the facility, security checks against these resource classes will fail. To identify a maskable resource class, see the commands documentation.
  • RXLTLIST
    Lists all the resource class translate entries defined to the translate table.
  • RXLTADD(oldclass:newclass)
    Specifies a resource class translate entry to be added to the translate table.
  • oldclass
    Specifies the source resource class.
  • newclass
    Specifies the target resource class for the translation that occurs during the resource validation process.
    Both old and new resource classes must exist in the RDT. An old class defined to the RDT as a type PIE or MRIE cannot be translated to a new class type RIE.
  • RXLTREM(oldclass)
    Specifies a resource class translate entry to be removed from the translate table.
  • NORES
    Prevents the interpretation and recognition of maskable resources within a facility. In high performance transaction managers that do not normally make use of maskable resource classes, this can improve performance. However, security features, which do involve maskable resources, cannot be used.
  • RNDPW
    Enables random password generation in a facility. Two methods are supported:
    • User initiated -- random password generation is in effect when the facility suboption RNDPW is set. Users can have CA Top Secret generate a password for them by entering RANDOM in the New Password field. This option does not preclude users from specifying their own password in accordance with NEWPW criteria.
    • Automatic initiated -- random password generation takes place when the user's current password expires, and both facility suboption RNDPW and global option NEWPW(RN) are in effect.
    RNDPW is set by default for TSO, CICS, and IMS. Some facilities might not display new, randomly generated passwords. Each facility, therefore, should test RNDPW before placing it into production.
    Note: When neither RNDPW facility suboption nor NEWPW(RN) option are set and a user enters RANDOM as a new password, RANDOM is evaluated literally and set the user's password to RANDOM. NEWPW(RN) global option must not be set if user-initiated random password generation is required.
  • NORNDPW
    Cancels the RNDPW suboption.
  • SHRPRF
    Allows profile sharing in multiuser address space environments such as CA-Roscoe®, IMS, and CICS where it is important to conserve storage. SHRPRF allows a copy of the profile to be shared by all users in the multiuser facility. Thus, storage is used efficiently.
    After a profile has been updated, users must have their profile refreshed by the security administrator, or sign on again to access the new profile. If not, the user will continue to access the version with which he signed on.
  • NOSHRPRF
    Prohibits profile sharing for the specified facility.
  • SIGN(M)
    Allows simultaneous logons with the same ACID for the specified facility.
  • SIGN(S)
    Sets CA Top Secret to disallow simultaneous signon for an address space by the same ACID from different sources (e.g. network terminals). When a duplicate signon is sensed, CA Top Secret issues message TSS7172E and disallows the second session. In IMPL and FAIL mode, this restriction is strictly enforced. In WARN mode, only a message is issued: signon by the same ACID from multiple terminals is logged and the user is warned, but the restriction is not enforced.
    Note: Keyword SIGNMULTI allows specific user ACIDs to sign on multiple times, when the facility sub-option is SIGN(S) and you have specified TYPE=CICS as the FACILITY option.
  • STMSG
    Requests that the system display the status message when a user signs on to the specified facility. This operand only applies to USER type ACIDs running in other than DORMANT mode. USER type ACIDs will not display the status message in DORMANT mode in any case. Administrator type ACIDs will always display the status message.
  • NOSTMSG
    Terminates the status message display. This operand does not apply to administrator type ACIDs that will always display the status message.
  • SUAS
    Used to indicate a single-user address space. For the purposes of CA Top Secret, a single-user address space requests data sets directly from z/OS. These facilities are single-user address spaces: TSO, BATCH, and STC.
  • TRACE
    Allows entire facility to be traced. See SECTRACE for more information.
  • NOTRACE
    Deactivates the TRACE suboption.
  • TSOC
    Indicates that a facility is TSO compatible, the facility can handle TGET and TPUT SVCs.
  • NOTSOC
    Cancels the TSOC suboption.
  • TYPE
    When listing all facilities, a three-digit numerical value (ranging from 000 to 100) displays for the TYPE= parameter. This parameter should not be changed except when defining or renaming a new CICS, CA-IDMS®, DB2, CA-ROSCOE, or IMS facility. Then TYPE= must be specified as TYPE=CICS, TYPE=IDMS, TYPE=DB2, TYPE=ROSCOE, or TYPE=IMS. These changes will also update the facility ID numbers (CICS=004, IDMS=011, DB2=100, ROSCOE=007, and IMS=005.) A facility with no predefined keyword is assigned display type 099.
    When used to modify a dummy facility, the keyword facility TYPE must be used as follows:

    TSS MODIFY FACILITY(xxxxx=TYPE=IMS)
    
  • UIDACID=n
    Specifies that the first n characters of an online userid is used to derive the ACID for the user.
  • WARNPW
    Forces defined users and jobs to use their correct passwords during the WARN mode. The default for the WARN mode would normally allow a job to process, even if the user omitted his password or entered it incorrectly.
    If the user signs on with a security administrator's ACID, and omits or enters an invalid password, CA Top Secret will FAIL the request regardless of the current security mode, or control option settings. CA Top Secret ignores the WARNPW option for undefined user ACIDS, and in DORMANT mode.
  • NOWARNPW
    Cancels the WARNPW suboption.
  • XDEF
    Sets protection in place by default for all commands and transactions controlled by the facility. Explicit authorization is required through LCF (Limited Command Facility) or through OTRAN permission.
  • NOXDEF
    Indicates that transactions and commands need not be authorized through LCF before they can be used.

CICS-Related FACILITY Suboptions

The following suboptions are CICS-specific and can be used when you have specified TYPE=CICS as the FACILITY option. The suboptions comprise the CICS BYPASS and CICS PROTECT resource lists.

Resources can be added to the bypass list (to avoid checking by CA Top Secret) or added to the protect list (to be checked). If a resource is added to both lists, the entry on the protect list overrides the bypass list. For example, the following entry on the bypass list would bypass security checking for all transactions beginning with XY:

TSS MODIFY FACILITY(CICSTEST=BYPADD(TRANID=XY)

You can still check for security on transaction XYZ by entering the following command:

TSS MODIFY FACILITY(CICSTEST=PROTADD(TRANID=XYZ)

The PROTADD(TRANID=XYZ) command overrides the BYPADD(TRANID=XY) command. The transactions XYAB and XYQZ match the prefix on the bypass list but do not match the override protection in the protect list: these transactions would be bypassed. The transactions XYZ and XYZQ match the entries in both the bypass list and the protect list; so the protect list entry takes precedence.

The following suboptions comprise the CICS BYPASS and CICS PROTECT resource lists:

  • BYPLIST
    Enables or disables the lists; enables auditing of transactions; and displays CICS resources on the lists:
    • To disable the lists for a CICS facility, issue the following command:

      TSS MODIFY FACILITY(CICSPROD=BYPLIST(NO))

      Note: By default, the lists are activated through BYPLIST(YES). For complete information about disabling the lists, see the documentation about setting CICS-specific control options.

    • To enable auditing, follow the instructions for adding transaction ownership and activating the auditing. 
      With auditing active, you can run reports to identify users that have executed transactions in the list without the necessary resource authorization.

    • To display the CICS resources on the lists, issue the following command:

      TSS MODIFY(FACILITY(CICSPROD=BYPLIST))
      

      Results of the command are displayed below.

      Important! The ellipsis (….) punctuation is essential and represents internal CICS transactions with hexadecimal unprintable names.
      FACILITY DISPLAY FOR CICSPROD
      BYPASS TABLE DISPLAY FOR FACILITY  CICSPROD
      RESOURCE=LOCKTIME BYPASS  NAMES:   TSS
      RESOURCE=TRANID   BYPASS  NAMES:   CAQP   CATA   CATD   CATP
       CATR   CAUT   CCIN   CCMF   CDBD   CDBN   CDBO   CDBT
       CDTS   CECS   CEGN   CEHP   CEHS   CESC   CESF   CESN
       CFTS   CGRP   CITS   CLQ2   CLR1   CLR2   CLS3   CLS4
       CMPX   CMTS   CNPX   COVR   CPLT   CPMI   CQPI   CQPO
       CQRY   CRDR   CRMD   CRSQ   CRSR   CRSY   CRTE   CRTR
       CSAC   CSCY   CSFU   CSGM   CSGX   CSHR   CSIR   CSJC
       CSKP   CSLG   CSMI   CSM1   CSM2   CSM3   CSM4   CSM5
       CSNC   CSNE   CSPG   CSPK   CSRK   CSPP   CSPQ   CSPS
       CSRS   CSSC   CSSF   CSSN   CSSX   CSSY   CSTA   CSTB
       CSTE   CSTP   CSTT   CSXM   CSXX   CSZI   CVMI   CVST
       CWTR   CXCU   CXRE   CXRT   TS     8888   9999   ....
       ....   ....   ....   ....   ....   CFTL   CFSL   CKTI
       CKAM   CFCL   CIOD   CIOF   CIOR   CIRR   CJTR   CSHA
       CSHQ   CSOL   CTSD   CWBG   CWXN   CDBF   CEX2   CFQR
       CFQS   CSFR   CSQC   CDBQ   CRMF   CLSG   CFOR   CJMJ
       CLS1   CLS2   CPIH   CPIL   CPIQ   CRTP   CWXU   CPIR
       CPIS   CISC   CISD   CISE   CISR   CISS   CIST   CJGC
       CJPI   CISB   CEPD   CEPM   CISQ   CISU   CISX   CIS4
       CRLR   CISM   CEPT   CPSS   CJSR   CESL   CISP   CIS1
       CJSL   CRST   CPCT   CFCR   CJLR
      RESOURCE=TRANID   PROTECT NAMES:   CEDF   TSEU
      
  • BYPADD(class=resource)

    Specifies a CICS resource prefix to add to the bypass list. Resources of this class that match this prefix are not checked by CA Top Secret security when used on a CICS that is defined for this facility.

    Note: After adding transactions to the list, you can enable auditing of the transactions. This can help you, for example, identify users that have executed transactions in the list without the necessary resource authorization. 

    Prefix entries on the TRANID parameter of a bypass list bypass security on the transaction and on resource checks that are initiated by the transaction; prefix entries on the TRAN parameter of a bypass list only bypass security on the transaction as it is initiated. You can also append a +A suffix to TRANID prefix entries as shown in the following example command:

    TSS MODI FACILITY(CICSPROD=BYPADD(TRANID=FILX+A))

    Adding this suffix allows the auditor to review the usage for bypassed transactions. The preceding command bypasses security on transactions beginning with FILX and flags each matching transaction in facility CICSPROD for audit

    .
  • BYPREM(class=resource)
    Specifies a CICS resource prefix to remove from the bypass list.
  • DB2=name
    Contains the resource names for CICS keywords DB2CONN, DB2ENTRY, and DB2TRANS. These resource names are checked against the resource class associated with the XDB2 SIT or FACILITY option. For example, DB2=P8 bypasses security checking for DB2CONN(P8*), DB2ENTRY(P8*), and DB2TRANS(P8*) when FACMATRX=YES and XDB2=YES in the associated CICS facility.
  • PROTADD(class=resource)

    Specifies CICS resources that are added to the protect list and will override a (generally shorter) entry on the bypass list. For example, the following specification protects transactions that begin with XXY:

    TSS MODI FAC(CICSPROD=PROTADD(TRANID=XXY))

    Important! An audit suffix (+A) should never be used in a protection list. The list does not expect such suffixes to be present

  • PROTREM(class=resource)
    Specifies CICS resources to remove from the protect list.

CICS Resource-Related Suboptions

The following CICS resource-related suboptions can be used with the BYPADD, BYPREM, PROTADD, and PROTREM suboptions.

Note: This list is intended for a limited number of resources and should not be used as an alternative for the ALL Record.

    • CEMT=action
      Contains Extended Master Terminal Command actions, valid actions are; ADDTO, INQUIRE, PERFORM, REMOVE, and SET. For example, to bypass all CEMT INQUIRE commands, enter:

      TSS MODIFY FACILITY(CICSTEST=BYPADD(CEMT=INQUIRE))
      
    • DCT=tdq
      Contains transient data entries.
    • DSNAME=name
      Contains the File Control Table entries associated with the data set. The DSNCHECK= suboption must be set to YES.
    • FCT=ddname
      Contains File Control Table entries. The DSNCHECK= suboption must be set to NO.
    • JCT=name
      Contains Journal Control Table entries.
    • LOCKTIME=(list)
      The elements in the list may be transactions or terminals:

      TSS MODIFY (fac(xxxxxxxx=PROTADD(LOCKTIME=yyyy)))
      
    • xxxxxxxx
      CICS facility name.
    • yyyy
      Transaction or Terminal. For transactions, supply the complete transaction ID. For terminals, the resource should be specified according to the access method:
      • VTAM=Netname
      • TCAM=Terminal ID
      • BTAM=Terminal ID
      • PCLOCK=YES|NO
      Specifies whether LOCKTIME is pseudo-conversational or conversational. YES equals pseudo-conversational. Recycling of CICS is required when this control option is changed.
    • PCT=tranid
      Contains interval control started transaction identifiers that are not checked by CA-Top Secret.
    • PPT=name
      Contains program processing control entries that are not checked by CA-Top Secret.
    • PSB=name
      Contains PSB entries.
    • SPI=action
      Contains a list of CICS command level application programming interface commands. Valid commands are: EXEC CICS SET and EXEC CICS INQUIRE. For example, to protect all EXEC CICS SET commands, enter:

      TSS MODIFY FACILITY(CICSTEST=PROTADD(SPI=SET))
      

      To bypass all EXEC CICS INQUIRE commands, except SYSTEM, enter:

      TSS MODIFY FACILITY(CICSTEST=BYPADD(SPI=INQUIRE))
      

      To bypass EXEC CICS INQUIRE SYSTEM, also enter:

      TSS MODIFY FACILITY(CICSTEST=BYPADD(CEMT=INQUIRE))
      
    • SYSID=sysid
      Contains system identification names of the CICS systems. SYSID= is only applicable to CICS 3.3 and below.
      Note: If EXTSEC=NO is coded in the DFHSIT parameter or the FACMATRX suboption, you must add SYSID to the bypass list.
    • TCT=(list)
      Contains a list of terminal entries.
      VTAM=Netname, TCAM=Terminal ID and BTAM=Terminal ID
    • TRAN=transaction_id
      Identifies transactions that bypass OTRAN and LCF security checking.
    • TRANID=transaction_id
      Identifies transactions that bypass all security checking (OTRAN, LCF, file, program, locktime). TRANID overrides TRAN in the facility bypass list. 

      Note: By default, CICS facility bypass and protect lists contain ellipsis (….) punctuation, which represents internal CICS transactions whose names contain unprintable names. These entries cannot be removed.

      Adding an '+A' suffix to the end of the transaction or transaction prefix causes an audit record to be written to the CA Top Secret audit/tracking file whenever the transaction is accessed; thus, this suffix allows an auditor to review the usage for the bypassed transaction.

      Important! Transaction ID TS is needed for LOCK/UNLOCK and should not be removed from the CICS bypass List. Security for the TSS transaction is controlled entirely through administrative authorities (not through transaction protection).

      Examples: Bypassing Security for Transactions
      This example bypasses security for the HELP transaction:

      TSS MODIFY FACILITY(CICS=BYPADD(TRANID=HELP))

      This example bypasses security for all transactions that start with HE and audits them:

      TSS MODIFY FACILITY(CICS=BYPADD(TRANID=HE+A))
    • TST=tsq
      Contains Temporary Storage entries.
    • DSNCHECK=YES|NO
      Specifies whether individual data set names or File Control Table entries are checked. XFCT=YES is required for DSNAME checking if running CICS 3.3 or below. See the FACMATRX in the CICS SIT/PCT Override FACILITY Settings section. If DSNCHECK is specified, then RES must also be set.
    • CICS SIT/PCT Override FACILITY Settings
      CICS SIT/PCT settings defined to CICS might be overridden by FACILITY settings as described next.
    • FACMATRX=YES|NO
      Specifies whether CA Top Secret is to override definitions defined to CICS through table assemblies or the CSD file.
      • YES
        CA Top Secret facility settings override CICS definitions.
      • NO
        (Default) CICS definitions override conflicting facility settings.
    • EXTSEC=
      Indicates whether CA Top Secret security is active or inactive.
      • YES
        CA Top Secret security is invoked for this region.
      • NO
        One of the following:
        • For CICs 3.3 and below, CA Top Secret security is inactive, but still present. CA Top Secret is running in an inactive state. An entry has to be made to the SYSID bypass list if you are running in any mode except DORMANT.
        • For CICS 4.1 and above, CA Top Secret security is not present. No SYSID bypass list is necessary to inactivate security with this release.
        • CA-ENF is invoked together with CA Top Secret to process the security parameters set for your CICS region. We recommend the use of the facility matrix (FACMATRX=YES) for setting these security parameters, since this centralizes security functions in data sets controlled by the security administrator. The alternative (FACMATRX=NO) distributes the responsibility to the SIT assembly or to the SIT override data set (if used). When external security is enabled (SIT SEC=YES or FACMATRX EXTSEC=YES), depending upon your security implementation, you might choose to selectively disable external security that you do not employ by setting off one or more of the "XPARMS" below; setting such parameters OFF prevents CICS from generating security queries, and can reduce security file I/O searching for resources and permissions that do not exist.

          Note: You can also review information about disabling CAIENF calls when using XPARMS.
    • XAPPC=
      Indicates whether session security can be used.
      • YES
        Session security can be used.
      • NO
        Session security cannot be used. Only the BIND password (defined to CICS for the APPC connection) is checked.
    • XCMD=
      Indicates whether EXEC CICS commands are checked by CA Top Secret.
      • YES
        All SPI commands are checked by CA Top Secret.
      • NO
        All SPI commands are not checked by CA Top Secret.
      SPI commands include both CEMT commands and EXEC CICS SPI commands from an application program.
    • XDB2=YES|NO
      Enables/disables secondary resource checking for resource class CTSDB2 to substitute for CICS/DB2 keywords:
      • DB2CONN
      • DB2ENTRY
      • DB2TRANS
      During initialization, for CTS 1.2 and above, CICS activates a profile for class CTSDB2. CICS performs security checking by substituting CTSDB2 for the keyword. When XDB2=YES, and FACMATRX=YES, the administrator is also expected to provide security for IBMFAC(DFHDB2.) as documented by IBM in the CICS RACF Security Guide.
    • XDCT=
      Indicates whether transient data entries are checked by CA Top Secret.
      • YES
        Transient data entries for this region are checked by CA Top Secret.
      • NO
        Transient data entries for the region are not checked by CA Top Secret.
    • XEJB=
      Specifies whether support of security roles is enabled.
      • YES
        CICS Support for security roles is enabled:
        When an application invokes a method of an enterprise bean, CICS calls the external security manager to verify that the userid associated with the transaction is defined in at least one of the security roles associated with the method.
        When an application invokes the following method:
      	isCallerInRole()
      	isCallerInRole()
      

      CICS calls the external security manager to determined whether the userid associated with the transaction is defined in the role specified on the method call.

    • NO
      CICS support for security roles is disabled. CICS does not perform enterprise bean method level checks, allowing any userid to invoke any enterprise bean method. The following method always returns a value of TRUE:

Note:

    To enable security role support, you must also specify SEC=YES (when FACMATRX=NO) or EXTSEC=YES (when FACMATRX=YES). A change to XEJB or EJBRPRFX requires the CICS region to be recycled in order to implement.
  • XFCT=
    Indicates whether file control entries for the region are checked by CA Top Secret.
    • YES
      File control entries for this region are checked by CA Top Secret. Required for DSNAME checking.
    • NO
      File control entries for this region are not checked by CA Top Secret. Deactivates DSNAME checking.
  • XHFS=
    Specifies whether or not CICS is to check the transaction user's ability to access files in the z/OS Unix System Services file system. This parameter is automatically set to NO in CTS release 3.1 and below.
    • YES
      CICS calls CA Top Secret to check whether or not the user is authorized to access the file identified by the URIMAP that matches the incoming URL.
    • NO
      CICS is not to drive a validation of access permission for z/OS UNIX files.
  • XJCT=
    Indicates whether journal entries are checked for this region by CA Top Secret.
    • YES
      Journal entries for this region are checked by CA Top Secret.
    • NO
      Journal entries for this region are not checked by CA Top Secret.
  • XPCT=
    Indicates whether EXEC-started transactions for this region are checked by CA Top Secret.
    • YES
      EXEC-started transactions for this region are checked by CA Top Secret.
    • NO
      EXEC-started transactions for this region are not checked by CA Top Secret.
  • XPPT=
    Indicates whether program entries for this region are checked by CA Top Secret.
    • YES
      Program entries for this region are checked by CA Top Secret.
    • NO
      Program entries for this region are not checked by CA Top Secret.
  • XPSB=
    Indicates whether PSB entries for this region are checked by CA Top Secret.
    • YES
      PSB entries for this region are checked by CA Top Secret.
    • NO
      PSB entries for this region are not checked by CA Top Secret.
  • XRES=
    On CTS 3.2 and above systems, indicates whether or not CICS DOCCTEMPLATE resource validations should be processed. This parameter is treated as NO for all CICS releases below CTS 3.2.
    • YES
      DOCTEMPLATE resource validations are performed.
    • NO
      DOCTEMPLATE resource validations are not performed and all attempts to access DOCTEMPLATE resources are allowed.
  • XTRAN=
    Indicates whether attached transaction entries for this region are checked by CA Top Secret.
    • YES
      Attached transaction entries for this region are checked by CA Top Secret
    • NO
      Attached transaction entries for this region are not checked by CA Top Secret.
  • XTST=
    Indicates whether temporary storage entries for this region are check by CA Top Secret.
    • YES
      Temporary storage entries for this region are checked by CA Top Secret.
    • NO
      Temporary storage entries for this region are not checked by CA Top Secret.
  • XUSER=
    Indicates whether surrogate user checking is performed by CA Top Secret.
    • YES
      Surrogate user checking is performed by CA Top Secret.
    • NO
      Surrogate user checking is not performed by CA Top Secret.
  • EJBRPRFX=16-byte-value
    Enables the use of EJB Role Prefixing (for CTS 2.2 and above). This facility suboption specifies a 16-byte-value as the prefix that is used to qualify the security role defined in an enterprise bean's deployment descriptor. The prefix is applied to the security role when:
    • A role is defined to an external security manager. CICS calls the external security manager to perform method authorization checks
    • An application invokes the following method:
    • isCallerInRole()
    You can specify a prefix of up to 16 characters. The prefix must not contain a period (.) character. If you specify a prefix that contains lowercase characters, blanks, or punctuation characters, you must enclose it in apostrophes. If the prefix contains an apostrophe, code two successive apostrophes to represent it.
    The EJBRPRFX facility control sub-option overrides the CTS 2.2 SIT parameter EJBROLEPRFX when FACMATRX=YES. CA Top Secret does not support the use of mixed case with EJBRPRFX. If FACMATRX=YES and EJBRPRFX is not modified, CA Top Secret will interpret EJBROLEPRFX as the null string. You might implement mixed case security role support if you specify EJBROLEPRFX in the CICS SIT, and set FACMATRX=NO.
    The EJBROLEPRFX parameter is ignored if security role support is not enabled. To enable security role support you must specify SEC=YES and XEJB=YES. If there is a change to security role support while a CICS region is executing, a recycle of the region is required in order to implement the change.
  • PCTCMDSEC=HONOR|OVERRIDE
    Specifies whether CA Top Secret will honor the SIT parameter CMDSEC=. PCTCMDSEC= is only applicable to CICS 3.1.1 and above.
    • OVERRIDE
      (Default) CA Top Secret will not honor the PCT CMDSEC= parameter and will force a security call.
    • HONOR
      CA Top Secret will honor the SIT parameter CMDSEC=.
  • PCTEXTSEC=HONOR|OVERRIDE
    Specifies whether CA Top Secret will honor the PCT parameters EXTSEC= and RSLC=. PCTEXTSEC= is only applicable to CICS 3.1 and below.
    • OVERRIDE
      (Default) CA Top Secret will not honor the PCT EXTSEC= and RSLC= parameters and will force a security call.
    • HONOR
      CA Top Secret will honor the PCT parameters EXTSEC= and RSLC=.
  • PCTRESSEC=HONOR|OVERRIDE
    Specifies whether CA Top Secret will honor the SIT parameter RESSEC=. PCTRESSEC= is only applicable to CICS 4.1 and above.
    • OVERRIDE
      (Default) CA Top Secret will not honor the SIT RESSEC= parameter and will force a security call.
    • HONOR
      CA Top Secret will honor the SIT parameter RESSEC=.

CICS Specific Suboptions


  • CICSCACHE
    Identifies the facility matrix sub option in the modification of the CICS caching option. This option sets the processing options and size for the memory "cache box" that TSS allocates for each terminal session. As resources are successfully accessed, resources are cached to minimize security file and audit file access. Cached resources are not rechecked against the security file. By default, cached resources will not be audited, and the cache is cleared at the end of every transaction. The cache box size defaults to 512 bytes.

    TSS MODI FAC(CICSPROD=CICSCACHE(SESSLIFE,AUDIT,2048))
    
  • TASKLIFE|SESSLIFE
    Defines CICS resources to be cached for the life of the transaction (TASKLIFE) or the life of the signed -- on user (SESSLIFE).
    Default: TASKLIFE.
  • NOAUDIT|AUDIT
    Defines whether new resource checks of previously cached resources will be written to the ATF (audit tracking file).
  • 512, 1024, 2048, or 4096
    Defines the size of the CICS cache box. The larger the size the more resources can be kept inside. Once the cache box is full, the oldest entries get removed.
    Default: 512
  • RLP=
    Indicates whether RLP processing is activated by CA Top Secret. Valid operands include:
    • YES
      RLP processing is activated by CA Top Secret
    • NO
      RLP processing is not activated by CA Top Secret
  • SIGN(M)
    Sets CA Top Secret to allow simultaneous signon for an address space by the same ACID from different sources (for example, network terminals). CA Top Secret will not convert a product to allow multiple signons where the product itself only tolerates single signons within the address space. It is recommended that you recycle the related CICS region(s) after dynamically changing SIGN(M); otherwise, unpredictable effects can occur.
    Note: This parameter interacts with the CICS SIT parameter SNSCOPE.
  • SIGN(S)
    Sets CA Top Secret to disallow simultaneous signon for an address space by the same ACID from different sources (network terminals). When a duplicate signon is sensed, CA Top Secret issues message TSS7172E and disallows the second session. It is recommended that you recycle related CICS region(s) after dynamically changing SIGN(S); otherwise, unpredictable effects can occur.

    Note: This parameter interacts with the CICS SIT parameter SNSCOPE.
  • SLP=
    Indicates whether SLP processing is activated by CA Top Secret.
    • YES
      SLP processing is activated by CA Top Secret
    • NO
      SLP processing is not activated by CA Top Secret

Options for Invoking Predefined Facilities

You can use the following default option specifications to invoke predefined facilities in CA Top Secret:

ACEP	
INITPGM=ACE    ID=A  TYPE=27
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
APPC	
INITPGM=ATB    ID=AP TYPE=03
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=IN-USE,ACTIVE,NOSHRPRF,NOASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,EODINIT,DORMPW,NONPWR
MODE=WARN  DOWN=GLOBAL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
MAXUSER=03000  PRFT=003
BATCH
INITPGM=IEFIIC    ID=B   TYPE=01
ATTRIBUTES=IN-USE,ACTIVE,SHRPRF,NOASUBM,ABEND,SUAS,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,NOWARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9,SMF
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
CA7	
INITPGM=SAS   ID=U  TYPE=025
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=NOLUMSG,NOSTMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,NOEODINIT,IJU,NODORMPW,NONPWR
MODE=WARN DOWN-GLOBAL LOGGING=ACCESS,INIT,SMF,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
CICSPROD	
INITPGM=DFH      ID=C  TYPE=004
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,NORES,WARNPW,NOTSOC,LCFTRANS
ATTRIBUTES=MSGLC,NOTRACE,NOEODINIT,IJU,NODORMPW,NONPWR
ATTRIBUTES=LUUPD
MODE=WARN  DOWN=GLOBAL  LOGGING=ACCESS,INIT,SMF,MSG,SEC9
UIDACID=8 LOCKTIME=000 DEFACID=*NONE*   KEY=8
FACMATRX=NO       EXTSEC=YES      EJBRPRFX=NO
XJCT=YES XFCT=YES XCMD=YES XDCT=YES XTRAN=YES XDB2=NO  XEJB=NO
XTST=YES XPSB=YES XPCT=YES XPPT=YES XAPPC=NO  XUSER=NO
XHFS=NO  XRES=NO
PCTEXTSEC=OVERRIDE    PCTCMDSEC=OVERRIDE  PCTRESSEC=OVERRIDE
DSNCHECK=NO   LTLOGOFF=NO       RLP=NO   SLP=NO   PCLOCK=NO
MAXUSER=03000  PRFT=003  MAXSIGN=010,RETRY
CICSCACHE=TASKLIFE,NOAUDIT,0512

FACILITY DISPLAY FOR CICSPROD
BYPASS TABLE DISPLAY FOR FACILITY  CICSPROD
RESOURCE=LOCKTIME BYPASS  NAMES:   TSS
RESOURCE=TRANID   BYPASS  NAMES:   CAQP   CATA   CATD   CATP
 CATR   CAUT   CCIN   CCMF   CDBD   CDBN   CDBO   CDBT
 CDTS   CECS   CEGN   CEHP   CEHS   CESC   CESF   CESN
 CFTS   CGRP   CITS   CLQ2   CLR1   CLR2   CLS3   CLS4
 CMPX   CMTS   CNPX   COVR   CPLT   CPMI   CQPI   CQPO
 CQRY   CRDR   CRMD   CRSQ   CRSR   CRSY   CRTE   CRTR
 CSAC   CSCY   CSFU   CSGM   CSGX   CSHR   CSIR   CSJC
 CSKP   CSLG   CSMI   CSM1   CSM2   CSM3   CSM4   CSM5
 CSNC   CSNE   CSPG   CSPK   CSRK   CSPP   CSPQ   CSPS
 CSRS   CSSC   CSSF   CSSN   CSSX   CSSY   CSTA   CSTB
 CSTE   CSTP   CSTT   CSXM   CSXX   CSZI   CVMI   CVST
 CWTR   CXCU   CXRE   CXRT   TS     8888   9999   ....
 ....   ....   ....   ....   ....   CFTL   CFSL   CKTI
 CKAM   CFCL   CIOD   CIOF   CIOR   CIRR   CJTR   CSHA
 CSHQ   CSOL   CTSD   CWBG   CWXN   CDBF   CEX2   CFQR
 CFQS   CSFR   CSQC   CDBQ   CRMF   CLSG   CFOR   CJMJ
 CLS1   CLS2   CPIH   CPIL   CPIQ   CRTP   CWXU   CFIR
 CPIS   CISC   CISD   CISE   CISR   CISS   CIST   CJGC
 CJPI   CISB   CEPD   CEPM   CISQ   CISU   CISX   CIS4
 CRLR   CISM   CEPF   CPSS   CJSR   CESL   CISP   CIS1
 CJSL   CRST   CPCT   CFCR   CJLR
 RESOURCE=TRANID   PROTECT NAMES:   CEDF   TSEU
CICSTEST	
INITPGM=DFH      ID=K  TYPE=004
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,NORES,WARNPW,NOTSOC,LCFTRANS
ATTRIBUTES=MSGLC,NOTRACE,NOEODINIT,IJU,NODORMPW,NONPWR
ATTRIBUTES=LUUPD
MODE=WARN  DOWN=GLOBAL  LOGGING=ACCESS,INIT,SMF,MSG,SEC9
UIDACID=8 LOCKTIME=000 DEFACID=*NONE*   KEY=8
FACMATRX=NO       EXTSEC=YES      EJBRPRFX=NO
XJCT=YES XFCT=YES XCMD=YES XDCT=YES XTRAN=YES XDB2=NO  XEJB=NO
XTST=YES XPSB=YES XPCT=YES XPPT=YES XAPPC=NO  XUSER=NO
XHFS=NO  XRES=NO
PCTEXTSEC=OVERRIDE    PCTCMDSEC=OVERRIDE  PCTRESSEC=OVERRIDE
DSNCHECK=NO   LTLOGOFF=NO       RLP=NO   SLP=NO   PCLOCK=NO
MAXUSER=03000  PRFT=003  MAXSIGN=010,RETRY
CICSCACHE=TASKLIFE,NOAUDIT,0512

FACILITY DISPLAY FOR CICSTEST 
BYPASS TABLE DISPLAY FOR FACILITY  CICSTEST 
RESOURCE=LOCKTIME BYPASS  NAMES:   TSS 
RESOURCE=TRANID   BYPASS  NAMES:  CAQP  CATA  CATD  CATP
   CATR  CAUT   CCIN   CCMF   CDBD   CDBN   CDBO   CDBT
    CDTS   CECS   CEGN   CEHP   CEHS   CESC   CESF   CESN
    CFTS   CGRP   CITS   CLQ2   CLR1   CLR2   CLS3   CLS4
    CMPX   CMTS   CNPX   COVR   CPLT   CPMI   CQPI   CQPO
    CQRY   CRDR   CRMD   CRSQ   CRSR   CRSY   CRTE   CRTR
    CSAC   CSCY   CSFU   CSGM   CSGX   CSHR   CSIR   CSJC
    CSKP   CSLG   CSMI   CSM1   CSM2   CSM3   CSM4   CSM5
    CSNC   CSNE   CSPG   CSPK   CSRK   CSPP   CSPQ   CSPS
    CSRS   CSSC   CSSF   CSSN   CSSX   CSSY   CSTA   CSTB
    CSTE   CSTP   CSTT   CSXM   CSXX   CSZI   CVMI   CVST
    CWTR   CXCU   CXRE   CXRT   TS     8888   9999   ....
    ....   ....   ....   ....   ....   CFTL   CFSL   CKTI
    CKAM   CFCL   CIOD   CIOF   CIOR   CIRR   CJTR   CSHA
    CSHQ   CSOL   CTSD   CWBG   CWXN   CDBF   CEX2   CFQR
    CFQS   CSFR   CSQC   CDBQ   CRMF   CLSG   CFOR   CJMJ
    CLS1   CLS2   CPIH   CPIL   CPIQ   CRTP   CWXU   CFIR
    CPIS   CISC   CISD   CISE   CISR   CISS   CIST   CJGC
    CJPI   CISB   CEPD   CEPM   CISQ   CISU   CISX   CIS4
    CRLR   CISM   CEPF   CPSS   CJSR   CESL   CISP   CIS1
    CJSL   CRST   CPCT   CFCR   CJLR
RESOURCE=TRANID   PROTECT NAMES:   CEDF   TSEU    
COMPLETE
INITPGM=THR    ID=C   TYPE=21
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
CONSOLE	
INITPGM=***    ID=CN  TYPE=02
ATTRIBUTES=ACTIVE,NOSHRPRF,NOASUBM,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,EODINIT,DORMPW,NONPWR,
MODE=FAIL  DOWN=BYPASS  LOGGING=ACCESS,INIT,SMF,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
MAXUSER=03000  PRFT=003
DB2PROD	
INITPGM=CAD    ID=DB  TYPE=100
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,NORES,WARNPW,NOTSOC,LCFTRANS
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000  DEFACID=*NONE*  KEY=8
DB2TEST	
INITPGM=CAD   ID=DT   TYPE=100
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,NORES,WARNPW,NOTSOC,LCFTRANS
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000  DEFACID=*NONE*  KEY=8
ENVIRON	
INITPGM=ENV    ID=E   TYPE=15
ATTRIBUTES=ACTIVE,SHRPRF,NOASUBM,ABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,NORES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL
LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
HSM	
INITPGM=ARC    ID=H  TYPE=099
ATTRIBUTES=IN-USE,ACTIVE,SHRPRF,NOABEND,SUAS,NOXDEF
ATTRIBUTES=NOASUBM,MSGLC,NOEODINIT,IJU
ATTRIBUTES=NOLUMSG,NOSTMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,NOWARNPW,NOTSOC,LCFCMD
ATTRIBUTES=NOTRACE,NODORMPW,NONPWR
MODE=WARN  DOWN=GLOBAL LOGGING=INIT,SMF,MSG,ACCESS,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
IDMSPROD	
INITPGM=RHD    ID=M  TYPE=11
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,NORES,WARNPW,NOTSOC,LCFTRANS
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=ACCESS,INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
IDMSTEST	
INITPGM=RHD    ID=Q  TYPE=11
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,NORES,WARNPW,NOTSOC,LCFTRANS
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
IMSPROD	
INITPGM=DFS    ID=I  TYPE=05
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,NORES,WARNPW,NOTSOC,LCFTRANS
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
IMSTEST
INITPGM=DFS    ID=X  TYPE=05
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,NORES,WARNPW,NOTSOC,LCFTRANS
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
INTERACT	
INITPGM=MEN    ID=I  TYPE=14
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=5
JES	
INITPGM=HAS    ID=J  TYPE=12
ATTRIBUTES=ACTIVE,NOSHRPRF,NOASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,DORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
OPENMVS	
INITPGM=IEFIIC   ID=OE TYPE=093
ATTRIBUTES=IN-USE,ACTIVE,NOSHRPRF,NOASUBM,NOABEND,SUAS,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,EODINIT,IJU,DORMPW,NONPWR
MODE=WARN  DOWN=GLOBAL  LOGGING=INIT,SMF,MSG,SEC9
UIDACID=8 LOCKTIME=000 DEFACID=*NONE*   KEY=8
NCCF	
INITPGM=DSI    ID=N  TYPE=06
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,ABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,NORNDPW,NOAUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR,NOEODINIT,IJU
MAXUSER=03000, PRFT=003 LOGGING=INIT,MSG DOWN=GLOBAL
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
ROSCOE	
INITPGM=ROS    ID=R  TYPE=07
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=NOTRACE,NODORMPW,NONPWR,MSGLC
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
STC	
INITPGM=IEESB605    ID=S  TYPE=02
ATTRIBUTES=IN-USE,ACTIVE,SHRPRF,NOASUBM,ABEND,SUAS,NOXDEF
ATTRIBUTES=LUMSG,NOSTMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,NOWARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
TONE	
INITPGM=TON    ID=T  TYPE=13
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,ABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,TSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=ACCESS,INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
TSO	
INITPGM=IKJEFLC    ID=T  TYPE=03
ATTRIBUTES=IN-USE,ACTIVE,SHRPRF,NOASUBM,ABEND,SUAS,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,TSOC,LCFCMD
ATTRIBUTES=NOTRACE,NODORMPW,NONPWR,MSGLC
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
UNICNTR	
INITPGM=***    ID=UN  TYPE=104
ATTRIBUTES=IN-USE,NOSHRPRF,NOASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,NOEODINIT,IJU,DORMPW,NONPWR
MODE=WARN  DOWN=GLOBAL  LOGGING=MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
MAXUSER=03000  PRFT=003
VAMSPF	
INITPGM=VAM    ID=V  TYPE=09
ATTRIBUTES=ACTIVE,SHRPRF,NOASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,TSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
VM	
INITPGM=TSS    ID=V  TYPE=08
ATTRIBUTES=ACTIVE,SHRPRF,NOASUBM,ABEND,SUAS,NOXDEF
ATTRIBUTES=NOLUMSG,NOSTMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8
WYLBUR	
INITPGM=UEX    ID=W  TYPE=10
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000   DEFACID=*NONE*  KEY=8

User Facilities

In addition to the pre-defined facility entries, there are 222 user facility entries, named USER0 through USER221, available for site customization. Each facility entry has identical attributes with only the ID field unique to each. The following table illustrates this relationship:

Facilities ID Field
USER0 -- USER99 0 through 99
USER100 - USER109 A0 through A9
USER110 - USER119 B0 through B9
USER120 - USER129 C0 through C9
USER130 - USER139 D0 through D9
USER140 - USER149 E0 through E9
USER150 - USER159 F0 through F9
USER160 - USER169 G0 through G9
USER170 - USER179 H0 through H9
USER180 - USER189 I0 through I9
USER190 - USER199 J0 through J9
USER200 - USER209 K0 through K9
USER210 - USER219 L0 through L9
USER220 - USER221 M0 through M1

The ID field is the same as the numeric value of the USERnnn facility. For example, for facility USER0 the id= will be 0, for facility USER23 the id= will be 23, and so on.

USERnnn	
INITPGM=********  id=xx    TYPE=99
ATTRIBUTES=ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFTRANS
ATTRIBUTES=MSGLC,NOTRACE,NODORMPW,NONPWR
MODE=FAIL  LOGGING=INIT,MSG,SEC9
UIDACID=8  LOCKTIME=000  DEFACID=*NONE*    KEY=8
Was this helpful?

Please log in to post comments.

  1. Benjamin Burrows
    2017-12-28 05:32

    LTLOGOFF=SIGNOFF is not documented in this section. Is it still supported?

    1. Kris Horgen
      2017-12-29 11:59

      Hi Ben,

      It is still supported; thus, I have updated the documentation accordingly. Thanks for the question!

      -Kris

  2. JOSEF THALER
    2017-12-29 07:11

    Hello CA - Kris, I‘d like to ask about BYPLIST: What is the effect of RESOURCE=LOCKTIME BYPASS NAMES: TSS which is showed as part of the display of the default bypass list.

    Many thanks, Josef

    1. Kris Horgen
      2017-12-31 01:39

      Josef,

      RESOURCE identifies the type of CICS resource that will bypass security checking within a CICS facility; similarly, BYPASS NAMES identifies the name of the resources that will bypass checking within a facility (in this case, TSS).

      Contrast this, of course, with PROTECT NAMES, which identifies protected CICS resources that will not bypass security checking within a CICS facility.

      -Kris

      1. JOSEF THALER
        2018-01-01 03:23

        Kris, My point for asking is, that in my understanding LOCKTIME is NOT a resource to be granted to a user, it is an attribute to a facility or an attribute to a user. Well, if LOCKTIME BYPASS means, that locktime behaviour does not take place, for which conditions is this true? When a Transaction TSS ist active on a terminal and waits for a terminal-response? Or, when a Transaction TSS was active on a terminal and returned to CICS? Or, when a transaction was invoked on a terminal 'TSS'? Or, when a transaction was invoked on a terminal, and it's terminalid begins with 'TSS' ? ...
        -Josef

        1. Kris Horgen
          2018-01-02 04:44

          Josef,

          Am researching this and will get back to you!

          -Kris

        1. Kris Horgen
          2018-01-03 10:22

          Josef, 

          I know you mentioned several scenarios, but to summarize it: With RESOURCE=LOCKTIME BYPASS NAMES: TSS. when transaction TSS is started on any terminal, we will BYPASS locktime processing for the TSS transaction only.

          -Kris

          1. JOSEF THALER
            2018-01-03 10:59

            Kris, Many thanks, that was mainly what I wanted to know and understand. -Josef

            1. Kris Horgen
              2018-01-03 11:12

              Great Josef!

              Good talking to you always. 

              -Kris

  3. JOSEF THALER
    2017-12-29 07:15

    Does TSS MODIFY(FACILITY(CICSPROD=BYPLIST)) really display the default bypass list as noted in the doc or is the current effective bypass list setting displayed?

    1. Kris Horgen
      2017-12-31 01:05

      Hi Josef, 

      Are you seeing results that make you unsure of what the doc is saying? Or is something else ehappening?

      -Kris

      1. JOSEF THALER
        2018-01-01 03:05

        Hi Kris, Above I've read quote "To display the default Bypass and Protect Lists, issue the following command: TSS MODIFY(FACILITY(CICSPROD=BYPLIST))" unquote. That's what me made asking that question. -Josef

        1. Kris Horgen
          2018-01-02 04:30

          Josef,

          Issuing that command produces the the current effective listing. It appears we will have to adjust some documentation accordingly.

          -Kris

  4. JOSEF THALER
    2018-04-30 02:44

    Hello CA -Kris, I have a question about LUMSG: Are there additional conditions to have the last used message displayed? Or, in other words: at which devices appear the last used messages? Thanks, Josef

    1. Kris Horgen
      2018-04-30 03:13

      Regarding your "conditions for having 'last-used' message displayed" question: Suppressing the update/display of last-used information for signons (via NOLUMSG) can help minimize security file I/O.

      If you're looking for another control, consider the MSG control option. Among MSG's powers, as the doc says: "You can alter. . .when and how the [violation] message is issued or suppressed." Check out that documentation!

      Regarding which devices the "last used" messages appear: If you are asking which types of terminals, static and dynamic terminals come to mind.

      -Kris

  5. JOSEF THALER
    2018-05-17 11:33

    possibly a TYPO between "MODE=mode" and "MULTIUSER": - What happens "if the global mode is changed via an O/S Modify command:" ..... ? - MSGLC and NOMSGLC could be highlighted like the other options

    1. Kris Horgen
      2018-05-17 01:12

      Hi Josef,

      More of a formatting issue. MSGLC/NOMSGLC is suboption/attribute that needs its own description among the bulleted list of descriptions. You can see examples of MSGLC in the "invoking predefined facilities" content in this topic.

      Anyway, I've adjusted the formatting!

      -Kris

  6. JOSEF THALER
    2018-07-23 03:46

    Hello CA Technologies, Kris, What is the description and the meaning of option INITPGM ? Thanks, Josef

    1. Kris Horgen
      2018-07-23 04:50

      Hi Josef,

      INITPGM provides the name of the internal module program that identifies the facility that a user is signing on to.

      -Kris

      1. JOSEF THALER
        2018-08-07 06:29

        Hi Kris, I'd like to ask about the INITPGM-Option, which is probably modified by FAC=PGM=PROGNAME, and as documented above: This is the key to determining the (generic) facility. Q: What happens (or which facility is generically assigned) when more than one facility has the same PGM=PROGNAME (for example several CICS-facilities, having PGM=DFH) regards, Josef

        1. Kris Horgen
          2018-08-08 02:52

          Josef,

          If CA Top Secret needs to identify a facility for a job, it looks at the PGM parameter and compares it to the program name that is executing. In that case, the product matches on the first one. In our documentation, we recommend using a MASTFAC for the CICS region ACID that will associate it with a specific facility. If none is specified, CICSPROD is used. MASTFAC is provided so you can select other facilities for CICS regions (for example, CICSTEST).

          -Kris

          1. JOSEF THALER
            2019-03-12 10:42

            Hi Kris, additional to those questions above: What takes precedence INITPGM= or MASTFAC ? Or, in other words: If the Server-STC-Acid has added MASTFAC(FAC1) and the Initialprogram of this STC (EXEC PGM=PPP) points to a different facility by FAC2=INITPGM=PPP, which FACility is used, when a Userid does a login ? Thanks, Josef

            1. Kris Horgen
              2019-03-12 12:51

              Josef, 

              I know this is a short answer, but the key is: MASTFAC is checked first.

              If you need anything else, let me know.

              -Kris