User IDs checked for CICS connections
The user IDs checked for CICS® connections depend on whether one or two checks are to be carried out, and whether an alternate user ID is specified.
Key:
Table 1. User ID checking against profile name for CICS-type user IDs Alternate user ID specified on open? hlq.ALTERNATE.USER.userid profile hlq.CONTEXT.queuename profile hlq.resourcename profile No, 1 check - ADS ADS No, 2 checks - ADS+TXN ADS+TXN Yes, 1 check ADS ADS ADS Yes, 2 checks ADS+TXN ADS+TXN ADS+ALT
- ALT
- Alternate user ID
- ADS
- The user ID associated with the CICS batch job or, if CICS is running as a started task, through the STARTED class or the started procedures table.
- TXN
- The user ID associated with the CICS transaction. This is normally the user ID of the terminal user who started the transaction. It can be the CICS DFLTUSER, a PRESET security terminal, or a manually signed-on user.
Determine the user IDs checked for the following conditions:
First, see how many CICS user IDs are checked based on the CICS address space user ID access to the RESLEVEL profile. From Table 1 in topic RESLEVEL and CICS connections, two user IDs are checked if the RESLEVEL profile is set to NONE. Then, from Table 1 on, these checks are carried out:
- The RACF® access level to the RESLEVEL profile, for a CICS address space user ID, is set to NONE.
- An MQOPEN call is made against a queue with MQOO_OUTPUT and MQOO_PASS_IDENTITY_CONTEXT.
This means that four security checks are made for this MQOPEN call.
- The hlq.ALTERNATE.USER.userid profile is not checked.
- The hlq.CONTEXT.queuename profile is checked with both the CICS address space user ID and the CICS transaction user ID.
- The hlq.resourcename profile is checked with both the CICS address space user ID and the CICS transaction user ID.