Table of Contents
WHAT IS CICS?
WHAT IS TSO?
WHAT IS RACF?
INTRODUCTION TO THE CICS/TSO AUTOMATION PROCESS
STANDARDS FOR CICS AND TSO
DATA CUSTODIAN'S GUIDELINES
DATA CUSTODIAN'S RESPONSIBILITIES
INFORMATION SYSTEMS ACCESS ADMINISTRATOR
Systems Programmer's Responsibilities
Systems Programmer's Yearly Responsibilities
What is CICS?
CICS stands for Customer Information Control System. CICS is an IBM product. CICS is used as a
transaction processor for mainframe computers and other platforms; including the AS/400, OS/2 and the
CICS is a general-purpose data communication software system that provides:
- Control of concurrently running applications serving many on-line users.
- The functions required by application programs for communicating with remote and local terminals
- Control of files and databases, with the various IBM data access methods and database products
that are available.
- The ability to communicate with other CICS systems and database systems, either in the same computer
or in connected systems.
At Illinois State University CICS is used to process information between a user and a large computer, the
mainframe. The user types in a pre-determined four character id, like GPAD and retrieves information on the
CICS is widely used across the Illinois State campus. Most of the administrative processing for the
University is performed using CICS. Some examples of information that can be obtained from CICS are all
Financial Aid Information, all Student Information; this includes student class registration and student bills,
all Payroll Information, all Alumni Information, all Parking Information, etc.
An academic advisor can look up all information about a student to help in the decision making process when the
student is registering for classes. The advisor can review classes that the student has taken, the grades the
students obtained and the classes the student has left to take. This information is vital for the academic
advisors to perform their job responsibilities.
The academic advisors are not the only people using the CICS system. Approximately 2,500 people use CICS each
day. The ACS Department offers a course (ACS 376) that trains people in CICS programming.
CICS is an important asset for Illinois State. The long range plans for the University include CICS. With
all of the processing done through CICS transactions for the University, the CICS software will have to
continue to operate for ten plus years. The CICS software is vital for the University community to function
properly. ILLINOIS STATE is even extending the CICS family. There are also plans to develop applications with
CICS for OS/2 and CICS for the RS/6000 at Illinois State.
What is TSO?
TSO stands for Time-Sharing Option. Time-Sharing means users are allowed to share the time and resources of a
major operating system. TSO runs under the MVS (Multiple Virtual Storage) operating system. MVS handles TSO
users as a batch job. When the TSO user logs onto the system, JCL (Job Control Language) is initiated to process
the necessary resources. The JCL includes all DD (Data Definition) statements that are necessary to allocate
data sets needed by the user.
TSO uses ISPF, Interactive System Productivity Facility, to help the user navigate through the TSO system.
ISPF is a menu driven interface that provides most of the TSO functionality. If ISPF is not available, every
option available through TSO can be accessed by a TSO command. At Illinois State ISPF is the user interface
ISPF/PDF (Program Development Facility) is also available at Illinois State. This part of ISPF is used by
programmers at the University. There are numerous facilities that are of use to the programmer. These include:
- A powerful text editor
- A set of utilities to create and manage data sets and libraries
- The ability to invoke language translators to compile and link-edit the application programs
What is RACF?
RACF stands for Resource Access Control Facility. RACF is a software security product that protects information
by controlling access to it. RACF also controls what the user can do and protects all of the operating system's
resources. RACF provides this security by identifying and verifying users, authorizing users to access protected
resources and recording and reporting access attempts.
RACF helps meet the needs for security by providing the ability to:
- Identify and verify users
- Authorize users to access the protected resources
- Control the means of access to resources
- Log and report various attempts of unauthorized access to protected resources
- Administer security to meet the goals of security for Illinois State
RACF provides all of the above functions, but Illinois State must define the users and the resources for RACF
One specific RACF user, called the RACF administrator, has the ability to define users and resources to RACF.
As well as defining what resources to protect, the RACF administrator can define and grant the authorities by
which users access the protected resources. Therefore the RACF administrator sets down the guidelines that RACF
uses to decide the user-resource interaction within Illinois State. The RACF administrator for RACF at Illinois
State is called the Information Systems Access Administrator.
Introduction to the CICS/TSO Automation Process
The CICS signon and transaction application process and the TSO signon and data set application process has been
automated based on the individual's job class, department and position held at the University. A CICS signon and
the appropriate transactions and/or a TSO signon and the appropriate data set access will be acquired automatically
for the ILLINOIS STATE employee when the employee obtains an existing position with an authorized signon. Each
position is assigned a set of transactions and/or data set access that is necessary to perform job responsibilities
for that position. Not every university employee receives CICS and TSO access. Although many Civil Service employees
have CICS access though and university employees that have access to TSO are usually programmers or employees and/or
students associated with the Applied Computer Science department. TSO is becoming more popular with the growth of DB2
Note: Terms within quotations are actual fields described in the ISI database data dictionary.
All information about the Illinois State employee will come from the ISI database. The ISI database is maintained by
the Provost's Office and the Human Resource Office. The ISI database contains all employment history about every past,
current and future employee for the University.
Upper level CICS and/or TSO security access is determined by "Appointment Begin Date" and "Appointment End Date" within
a specific "Job Classification" and "Appointment Department." Depending on the Data Custodian decision, CICS and/or TSO
security access can be taken one step further by looking at the "Position Number", "Account Start Date" and "Account Stop
Date" values. Whether the CICS and/or TSO access decision is decided by "Job Class" and "Department Name" or by "Job
Class", "Department Name" and "Position Number", the "Leave of Absence Reason" is evaluated. "Leave of Absence Reason"
codes of 02, 21 and 22 cause the CICS and/or TSO security access to be deleted, the other codes remain active. The other
codes are considered active layoff. The Access Database, controlled by the Information Systems Access Administrator,
stores whether the CICS and/or TSO security access is controlled by job class and department or job class, department
and position number.
For Academic personnel with "Appointment Type" Q (non-tenure track), L (Faculty Associate, Non-continuing), J (Adjunct)
and G (Graduate Assistant) and "Appointment End Date" passed, these personnel may request the Information Access
Administrator to temporarily activate the CICS and/or TSO security access through September 1st or February 1st, which
ever occurs first. If the above positions are not active in the ISI personnel database by September 1st or February
1st the CICS and/or TSO security access will be deleted.
Special Exception cases override the automation process. Special exception cases, other than as stated above, are
requested through the Office of the Provost for Academic Users, Human Resource Office for Staff Users or the Supervisor
of the User with Data Custodian approval. Special Exceptions, for an inactive employee (not currently employed by the
University), are controlled through the Access Database specifying a date range for the desired CICS security access.
Special Exceptions are made when requested by the Supervisor of the user with the Data Custodian approval at the
individual transaction level.
If Position Number starts with any of the values below, they are considered ranges of position numbers not eligible for
the automation process. These employees along with their supervisor, must fill out two forms for CICS signon and access:
Signon Update Request and the Signon Update Request for Transactions. These employees along with their supervisor , must
fill out two forms to obtain their TSO signon and data set access: TSO Userid Request and the RACF Update Request. The
signons are deleted automatically when the employee leaves the University.
This the list of not eligible position numbers for Illinois State employees:
- 25xxx - Visiting Artists/Lecturers
- 30xxx - Overtime
- 31xxx - Extra Help
- 32xxx - Extra Help
- 35xxx - Daily Rate Substitutions
- 40xxx - Student Help - Regular
- 41xxx - Student Help - Work Study
- 55xxx - Contractual Faculty
- 60xxx - Central Accounts
- 61xxx - Temporarily Assigned Position
- 65xxx - Faculty Development
- 70xxx - Other Funded Summer Session
The not eligible position numbers listed above are monitored through the automation process for any changes to his/her
position. The signon will also be deleted from CICS and/or TSO when the employee leaves the University. If the position
numbers for these employees are separated into smaller groups, then the positions can be added to the automation process.
The Financial Aid Office and the Human Resource Office will have to make the decision to uniquely qualify the positions
for every employee that currently has a not eligible position number before the Information Systems Access Administrator
can implement the above positions in the automation process.
A retiree is treated as a Special Exception, with the date range of activation being one year. The Department of Human
Resource is responsible for notifying Staff retirees of the date range, and the Department of the Provost for the
notification to all Academic retirees. A retiree has CICS and/or TSO security access for as long as the access is needed
and must go through the process for special exceptions. The need is evaluated every year.
Guest Accounts are also Special Exceptions. Guest Accounts are sponsored by a Academic or Staff member associated with
Illinois State. Access will be granted, on a case-by-case basis, with a written recommendation of the access purpose by
faculty or staff member associated with Illinois State and must go through the process for special exceptions.
Standards for CICS and TSO
The users need to understand the importance of maintaining confidentiality while using CICS and/or TSO signons. A user
needs to change his/her password when a CICS and/or TSO signon is given to them and occasionally while using the CICS
and/or TSO signon. If the User does not follow the CODE OF RESPONSIBILITY FOR SECURITY AND CONFIDENTIALITY OF DATA,
the User's CICS and/or TSO signon is revoked immediately. Each user has one signon for CICS and/or TSO and one password.
The CICS and/or TSO signons are assigned individually and each user of CICS and/or TSO must have their own signon.
A user of the mainframe computer will be assigned a RACF user ID. A RACF user ID can be one to eight characters long.
A TSO user ID and a user ID on a MVS JOB statement cannot be more than seven characters, so Illinois State has limited
RACF user IDs to only seven characters. For university employees the RACF id will be their first initial, middle initial
and the first five characters of their last name or as many characters of their last name, if the last name is less than
five characters. For example an employee with the name John C. Smith will have a user ID of JCSMITH. For ACS students
the RACF id will be: the first character is @, the next three characters will be the ACS class number, the next character
is the section number and the last two characters will be an unique number for the student in the class. For example, a
student in ACS 376, section 1 would have a user ID of @3761xx where 00 <= xx <= 99. Depending on the position the employee
holds at the University, the RACF user ID will be able to access TSO, CICS or both TSO and CICS. ACS students have access
to both CICS and TSO.
If a user is authorized for TSO, the RACF ID will need a TSO segment in the RACF user ID profile. The following attributes
will need to be defined for a TSO user:
- ACCTNUM - the user's default account number
- JOBCLASS - default value for the user's job class
- MSGCLASS - default value for the user's message class
- HOLDCLASS - default value for the user's hold class
- SYSOUTCLASS - default value for the user's SYSOUT class
- DEST - the destination id for the user's SYSOUT data sets
- PROC - user's default logon procedure
- MAXSIZE - user's maximum region size
- SIZE - user's default region size
- SECLABEL - security label specified when the user previously logged on to TSO
- UNIT - default device used for allocations
- USERDATA - optional user data
If a user is authorized for CICS, the RACF ID will need a CICS segment in the RACF user ID profile. The following attributes
will need to be defined for a CICS user:
- OPCLASS - the classes assigned to this operator to which BMS (basic mapping support) messages will be routed
- OPIDENT - an identification of the operator for use by BMS
- OPPRTY - the priority of the operator
- TIMEOUT - the time in minutes, currently 30 minutes, that the operator is allowed to be idle before being signed off
- XRFSOFF - whether the operator will be signed off by CICS when an XRF takeover occurs XRF stands for eXtendend Recovery
Facility. XRF is a CICS software function that minimizes the effect of various failures on the end users of
Each RACF user ID will be placed in a default RACF group. If needed the RACF user ID can be placed in other RACF groups for
additional security access. A RACF user ID is assigned to those groups that have the authority to access the necessary RACF
resources to fulfill the employee's job requirements.
The RACF group of a user ID will obtain access to the generic or discrete data set profile. The RACF group or user ID can
have NONE, READ, UPDATE, CONTROL or ALTER authority assigned to the data set profile. Most assignments are done at the group
level, not at the user ID level. This way a user ID can be added to a group and obtain the necessary security access.
Access Authorities for DASD Data Sets
Does not allow users to access the data set.
Allows users to access the data set for reading only. (Note: Users who can read the data set can copy or print it).
Allows users to read from, copy from or write to the data set. UPDATE does not authorize a user to delete, rename,
move or scratch the data set. Allows users to perform normal VSAM I/O to VSAM data sets.
For VSAM data sets, is equivalent to the VSAM CONTROL password; that is, it allows users to perform improved control
interval processing. This is control-interval access (access to individual VSAM data block) and the ability to
retrieve, update or delete records in the specified data set. For non-VSAM data sets, CONTROL is equivalent to
Allows users to read, update, delete, rename, move or scratch the data set.
For a private load library, allows users to load and execute, but no read or copyprograms (load modules) in the
Note: All members of a partitioned data set (PDS) are protected by one profile. This is the profile that protects
the data set.
The User might need additional security access besides the CICS and/or TSO security access assigned to the User originally.
To receive these additional access authorities, the User or the User's supervisor contacts the Information Systems Access
Administrator with the additional security access authorities and reasons why they are needed. The Information Systems
Access Administrator requests approval from the Data Custodian. If approval is granted by the Data Custodian, then the
security access is granted by the Information Systems Access Administrator. Otherwise, the Information Systems Access
Administrator telephones the user and states why the Data Custodian is not allowing the security access.
A user must change their password every sixty days or when the user feels the password has been compromised. A password
change prompt will be displayed once the password has expired for the user. The length of the password must be between
five and eight characters.
The user can not use the same password for the password change process. Password history of five passwords is kept for
A user has five attempts to logon to CICS or TSO correctly. If the user does not succeed, the user is aborted from the
signon process. The incorrect logon attempt is logged to the master console and datasets.
CICS and TSO accounts that have been inactive for six months will become revoked. Once an account is revoked a user can
display a picture id to reactivate the account. If the account is revoked for six more months, then the account is deleted
When the user accesses either CICS or TSO for the first time the user is prompted with the below screen. The user is
required to read the screen and answer either YES or NO. If the answer is YES, the user is allowed to obtain security
access to either CICS or TSO. If the answer is NO, the user is denied all security access to CICS or TSO. Every six months
the user will see the screen below and is required to answer the screen again.
ILLINOIS STATE UNIVERSITY INFORMATION SYSTEMS
Access to Information Resources and the Information Technology environment is a privilege and must be treated as
such by all users of university computing and Network Resources. Access to university information and the sharing and
security of that information requires that each user accept responsibility to protect the rights of the University
and the University community.
All members of the University community who have access to data are responsible to understand and abide by the policies
described in the Illinois State Information Resource Access and Security Policy and Guidelines of a Secure Computing
Environment, both available on the Illinois State Gopher system or on the World Wide Web (WWW).
- I will maintain data confidentiality.
- I will maintain the confidentiality of data security controls and passwords.
- I will report to management any suspected security violation.
- I will access and use only that information for which I am authorized.
I have read, understand and agree to abide by the above guidelines.
Please respond "yes" or "no"
Data Custodian's Guidelines
Information Systems (IS) is responsible for ensuring the confidentiality, integrity, and availability of all administrative
information that it processes and stores, whether on the University mainframe, on minis, on micro-computers or on LAN servers.
The Illinois State University Information Resource Access and Security Policy, written by IS, was written to assist the
University in accomplishing these objectives. The following Data Custodians guidelines govern information security for the
University's data so that the designated Data Custodians will have the guidance to support the Policy. IS and the Data
Custodians are subject to security audits by internal and external auditors for compliance with standard computing
Data Custodians have a responsibility to the University to ensure they grant access to data to only those who require that
access to perform their job responsibilities. The Data Custodian must be familiar with the data, and the methods for accessing
that data for which they are responsible. He/she should know how this data is used with the business functions of the
University. If, for any reason, the Data Custodian has a question of whether that position would require that access, they
should feel free to interview the requester to verify that position does actually require that access. The more sensitive
data, update capability accesses, etc., may always need the interview follow up.
Data Custodian's Responsibilities
Data Custodians are delegated by University management the responsibility for controlling university data within their areas.
Their responsibilities include the following:
- Controlling data definitions to ensure data conform to consistent definitions over the life of the data.
- Approving requests for access to University data submitted by authorized University personnel.
- Authorizing all computer Project Work Orders.
- Reviewing accesses and transaction groups ensuring the accesses and groups are appropriate and valid.
- Monitoring the data to ensure data processing procedures are effective.
Information Systems Access Administrator's Responsibilities to the Data Custodian:
- Help the Data Custodian trouble shoot problems they are encountering.
- Make necessary access changes immediately, depending on severity.
- Provide audit listings, which include:
- All University positions that have access to the Data Custodian's data.
- CICS transaction groupings.
- Those who are sharing a sign-on.
- Coordinate access requests between the individual and the Data Custodian.
The separation between the Information Systems Access Administrator and the Data Custodian strengthens security by not
allowing one person to grant access permissions. The following is the procedure to follow to create or modify
- Make access requests for data to the Information Systems Access Administrator via telephone, letter, or
e-mail containing information of which accesses and why they are necessary for a user to perform their job
- The Information Systems Access Administrator will forward a letter to the Data Custodian to obtain a
signature for permission to the access requested.
- The Data Custodian returns the signed, or a reason for unsigned, letter granting access, to the Information
Systems Access Administrator.
- The Information Systems Access Administrator will make the necessary changes to create the appropriate
The Data Custodian must be familiar with the data to know how that data effects the business functions of the
University Community. The familiarity of the data will guide the Custodian to make the appropriate decisions for
controlling data definitions to ensure the data conforms to the consistent definitions over the life of the
All mainframe accesses are in transaction groups. To ensure the accesses are appropriately granted, the Data
Custodian must be familiar with the transaction groups. The transaction groups consist of transactions that
are similar, such as data, update capabilities of a particular file, etc. If the Data Custodian grants access to
a single transaction, this may be granting access to several other transactions depending on how many are in the
same group. The Data Custodian must acknowledge all the transactions being authorized when signing access for a
single transaction. The Data Custodian is responsible for granting access to the University's data. In addition,
keep in mind just because a transaction is display only, consider what data is being displayed, is it sensitive
Once the Data Custodian acknowledges which transactions are included, the Data Custodian must decide if the position
requesting that transaction should be able to access every transaction in the group. If a position is questionable for
access to a (some) particular transaction(s), the requester or their supervisor should be contacted. The Information
Systems Access Administrator is only the administrator and coordinator of accounts, not the person to make the final
decision of who should have access to what data.
Information Systems Access Administrator
This section defines the duties that are expected of the systems programmer and/or the Information Systems Access
Administrator during the entire automation process. This is a position in the Network Services branch of Information
Systems. A person must have the position of a Systems Programmer before he/she can obtain the title of Information
Systems Access Administrator. Information Systems Access Administrator is a title that is given to a Systems Programmer
that can handle the security functions. Systems Programmer is the job classification that is given to an employee from
the Human Resource Office.
Systems Programmer's Responsibilities
- Notify the User of their CICS security access, their TSO security access or both.
A list of authorized transactions for an employee's position is sent to the employee through campus mail. The
employee's signon name and password formula to access their CICS transactions is at the top of the transaction
list. At this time, the password must be changed within five working days. If the password is not changed, the
CICS signon will then become inactive. To reactivate the CICS signon, a picture ID must be brought to Room 136H
in Julian Hall.
If the employee is authorized for TSO access, the Information Systems Access Administrator calls the employee,
via telephone, and states the TSO user ID and the password formula. When the TSO user logs onto TSO, the password
must be changed immediately. The TSO user has five working days to change the password or else the TSO user ID is
revoked. If the TSO user ID is revoked, the user must come to Julian Hall 136H with a picture ID to get the TSO
user ID active again.
At the present time, a phone call is given to the TSO user because there are not very many requests. Once TSO
becomes more popular, a program will be written to generate the necessary information for TSO, similar to the CICS
Note: The letter the user receives when obtaining a new position at the University (either new to the University
or changing departments and/or positions at the University) contains the CODE OF RESPONSIBILITY FOR SECURITY AND
CONFIDENTIALITY OF DATA on the back of the formatted letter. Each employee at the University using CICS must see a
copy of the CODE OF RESPONSIBILITY FOR SECURITY AND CONFIDENTIALITY OF DATA.
- Maintain the list of Extra Help personnel, Graduate Students, Guest Accounts, Student Help and positions having not
eligible position numbers at the University having CICS or TSO security access.
- Review all RACF security violations reports that are generated.
Systems Programmer's Yearly Responsibilities
Once a year, around February, the Information Systems Access Administrator sends an audit report to every Data Custodian.
This includes a memo, a list of all job classes, departments and positions or job classifications and departments that
have access to their transactions and datasets and an authorization form to be signed by the Data Custodian.
Access Database: The database maintained by the Information Systems Access Administrator. This database contains
the appropriate CICS security access for every position at the University.
Critical Data: Data that is critical to the business functions of the University.
Data: Information displayed either in straight text format, on a screen or by a CICS transaction.
Data Custodian: Individuals delegated by University Management to provide the means for controlling the information
resources within the Data Custodian's units. Data Custodians must authorize all CICS security access.
Data Security Administrator: A position in the Administrative Computing branch of Information Systems that monitors
all security issues.
ISI Database: A database that stores all of the employee, both faculty and staff information for each individual
employed at Illinois State. This includes salary and position information.
Information Systems Access Administrator: A position in the Network Services branch of Information Systems that
maintains all security issues for the mainframe.
Profile: Data that describes the significant characteristics of a user, a group of users, or on or more computer
Public Data: Data that anyone should be able to see, open to the public.
RACF Administrator: A person designated to assign all RACF security for the operating system's resources.
RACF database: A collection of interrelated or independent data items stored together without unnecessary
redundancy, to serve RACF.
Sensitive Data: Data that is sensitive in nature, personnel and private information.
University Management: Consists of the President, the Vice Presidents, Department Chairs, Department Deans and
Directors at Illinois State.