User IDs checked for CICS connections

The user IDs checked for CICS connections depend on whether one or two checks are to be carried out, and whether an alternate user ID is specified.

Alternate user ID specified on open?	hlq.ALTERNATE.USER.userid profile	hlq.CONTEXT.queuename profile	hlq.resourcename profile
No, 1 check	-	ADS	ADS
No, 2 checks	-	ADS+TXN	ADS+TXN
Yes, 1 check	ADS	ADS	ADS
Yes, 2 checks	ADS+TXN	ADS+TXN	ADS+ALT

Key:

ALT

Alternate user ID

ADS

The user ID associated with the CICS batch job or, if CICS is running as a started task, through the STARTED class or the started procedures table.

TXN

The user ID associated with the CICS transaction. This is normally the user ID of the terminal user who started the transaction. It can be the CICS DFLTUSER, a PRESET security terminal, or a manually signed-on user.

Determine the user IDs checked for the following conditions:

• The RACF access level to the RESLEVEL profile, for a CICS address space user ID, is set to NONE.
• An MQOPEN call is made against a queue with MQOO_OUTPUT and MQOO_PASS_IDENTITY_CONTEXT.

First, see how many CICS user IDs are checked based on the CICS address space user ID access to the RESLEVEL profile. From Table 1 in topic RESLEVEL and CICS connections, two user IDs are checked if the RESLEVEL profile is set to NONE. Then, from Table 1 on, these checks are carried out:

• The hlq.ALTERNATE.USER.userid profile is not checked.
• The hlq.CONTEXT.queuename profile is checked with both the CICS address space user ID and the CICS transaction user ID.
• The hlq.resourcename profile is checked with both the CICS address space user ID and the CICS transaction user ID.

This means that four security checks are made for this MQOPEN call. Parent topic: User IDs for resource security (MQOPEN, MQSUB, and MQPUT1)