How CA Top Secret manages the CICS SECPRFX Initialization parameter.

Document ID : KB000072692
Last Modified Date : 14/03/2018
Show Technical Document Details
Introduction:
The SECPRFX system initialization parameter of CICS is used to prefix the resource names passed to the security product.
There are 3 options for SECPRFX: NO,YES and prefix. When SECPRFX is set to 'prefix', CICS prefixes the resource names with the specified 'prefix' when passing authorization requests to RACF.

Using SECPRFX=prefix I would expect to receive security checks for OTRAN(prefix.transaction) but  I do not see any security call like this in CA Top Secret .
Question:
 Why is the prefix defined in SECPRFX ignored by CA Top Secret?
Answer:
Setting a prefix in the SECPRFX  (SECPRFX=YURPREFIX) in the SIT has no effect on how TSS processes the security call.
For example, with SECPRFX=prefix, if you issue transaction CEMT in CICS, CICS makes a security call for TCICSTRN(prefix.CEMT) but TSS intercepts this call and processes it as OTRAN(CEMT).

The Prefixing provided by the SECPRFX is useful mainly when you have more than one CICS region and it enables you to prevent users on one CICS region from accessing the resources of a different CICS region that has a different prefix.

The reason CA Top Secret is ignoring the prefix defined in SECPRFX is CA Top Secret has another approach to differentiate the CICS from where the transactions are coming from. CA Top Secret allows the FACILITY keyword in the TSS PERMIT command to restrict access to the facilities specified. For example, to permit an acid to execute the CEMT transaction but only from facilities CICSA and CICSB, you can use the following command :

TSS PER(acid#) OTRAN(CEMT) FAC(CICSA,CICSB)

 
Additional Information:
Information about the FAC keyword of CA Top Secret can be found at the following link:

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/keywords/facility-keywordspecify-facilities