RESLEVEL and CICS connections
By default, when an API-resource security check is made on a CICS connection, two user IDs are checked. We can change which user IDs are checked by setting up a RESLEVEL profile.
The first user ID checked is that of the CICS address space. This is the user ID on the job card of the CICS job, or the user ID assigned to the CICS started task by the z/OS STARTED class or the started procedures table. (It is not the CICS DFLTUSER.)
The second user ID checked is the user ID associated with the CICS transaction.
If one of these user IDs does not have access to the resource, the request fails with a completion code of MQRC_NOT_AUTHORIZED. Both the CICS address space user ID and the user ID of the person running the CICS transaction must have access to the resource at the correct level.
How RESLEVEL can affect the checks made
Depending on how you set up your RESLEVEL profile, we can change which user IDs are checked when access to a resource is requested. See Table 1 for more information.
The user IDs checked depend on the user ID used at connection time, that is, the CICS address space user ID. This control enables you to bypass API-resource security checking for IBM MQ requests coming from one system (for example, a test system, TESTCICS,) but to implement them for another (for example, a production system, PRODCICS).
Note: If you set up your CICS address space user ID with thetrustedattribute in the STARTED class or the RACF started procedures table ICHRIN03, this overrides any user ID checks for the CICS address space established by the RESLEVEL profile for the queue manager (that is, the queue manager does not perform the security checks for the CICS address space). For more information, see the CICS Transaction Server for z/OS V3.2 RACF Security Guide.
The following table shows the checks made for CICS connections.
RACF access level | Level of checking |
---|---|
NONE | IBM MQ checks the CICS address space user ID and the transaction user ID. |
READ | IBM MQ checks the CICS address space user ID only. |
UPDATE | If the transaction is defined to CICS with RESSEC(YES), IBM MQ checks the CICS address space user ID and the transaction user ID. |
UPDATE | If the transaction is defined to CICS with RESSEC(NO), IBM MQ checks the CICS address space user ID only. |
CONTROL or ALTER | IBM MQ does not check any user IDs. |