What users require the NOATS attribute?

Document ID : KB000118833
Last Modified Date : 01/11/2018
Show Technical Document Details
Issue:
Do regular user acids require NOATS? We see in the documentation that it is recommended for administrative acids. What circumstances would allow a regular user acid to sign on as a terminal? 
Resolution:
CICS ATS feature signs on a user automatically if no user is signed on at the terminal when a security check occurs. 

CA Top Secret will attempt to find an acid that matches the terminal id. If it finds that user, it will sign that user on.These acids must be defined when you choose to use ATS. 

If that acid had NOATS, that acid will not be used for ATS signon. 

Unless you have a lot of acids that match terminal id names, NOATS is really not needed. If you dont use ATS, then you really dont need NOATS. You can use NOATS to disable ATS by adding it to all the ATS terminal acids. 


If someone was 'smart' enough to fudge the terminal id definitions to have a terminal id if 'T123' because he knows that a TSS admin acid is called 'T123' exists, ATS would signon that acid and be able to issue TSS commands. This is why having NOATS is recommended for admin acids. This tactics can be used for regular acids also. So, this is something to consider. But if I were a hacker, I would choose a user with powerful credentials and not a regular user. The hacker would need knowledge of CICS and have CICS admin privileges to add/modify terminal definitions.