RESLEVEL and IMS connections
By default, when an API-resource security check is made for an IMS connection, two user IDs are checked. We can change which user IDs are checked by setting up a RESLEVEL profile.
By default, when an API-resource security check is made for an IMS connection, two user IDs are checked to see if access is allowed to the resource.
The first user ID checked is that of the address space of the IMS region. This is taken from either the USER field from the job card or the user ID assigned to the region from the z/OS STARTED class or the started procedures table (SPT).
The second user ID checked is associated with the work being done in the dependent region. It is determined according to the type of the dependent region as shown in How the second user ID is determined for the IMS(tm) connection.
If either the first or second IMS user ID does not have access to the resource, the request fails with a completion code of MQRC_NOT_AUTHORIZED.
The setting of IBM MQ RESLEVEL profiles cannot alter the user ID under which IMS transactions are scheduled from the IBM-supplied MQ-IMS trigger monitor program CSQQTRMN. This user ID is the PSBNAME of that trigger monitor, which by default is CSQQTRMN.
How RESLEVEL can affect the checks made
Depending on how you set up your RESLEVEL profile, we can change which user IDs are checked when access to a resource is requested. The possible checks are:- Check the IMS region address space user ID and the second user ID or alternate user ID.
- Check IMS region address space user ID only.
- Do not check any user IDs.
The following table shows the checks made for IMS connections.
RACF access level | Level of checking |
---|---|
NONE | Check the IMS address space user ID and the IMS second user ID or alternate user ID. |
READ | Check the IMS address space user ID. |
UPDATE | Check the IMS address space user ID. |
CONTROL | No check. |
ALTER | No check. |