RESLEVEL and the channel initiator connection
By default, when an API-resource security check is made by the channel initiator, two user IDs are checked. We can change which user IDs are checked by setting up a RESLEVEL profile.
By default, when an API-resource security check is made by the channel initiator, two user IDs are checked to see if access is allowed to the resource.
The user IDs checked can be that specified by the MCAUSER channel attribute, that received from the network, that of the channel initiator address space, or the alternate user ID for the message descriptor. Which user IDs are checked depends on the communication protocol you are using and the setting of the PUTAUT channel attribute. See User IDs used by the channel initiator for more information.
If one of these user IDs does not have access to the resource, the request fails with a completion code of MQRC_NOT_AUTHORIZED.
How RESLEVEL can affect the checks made
Depending on how you set up your RESLEVEL profile, we can change which user IDs are checked when access to a resource is requested, and how many are checked.
The following table shows the checks made for the channel initiator's connection, and for all channels since they use this connection.
Table 1. Checks made at different RACF access levels for channel initiator connections RACF access level Level of checking NONE Check two user IDs. READ Check one user ID. UPDATE Check one user ID. CONTROL No check. ALTER No check. Note: See User IDs used by the channel initiator for a definition of the user IDs checked