QUERY SECURITY

Query the security authorization of a user to access a resource. Note that QUERY SECURITY is not affected by the RESSEC (resource security) and CMDSEC (command security) settings on a TRANSACTION resource definition.

The effect of SIT parameters on QUERY SECURITY commands

You can query whether a user has READ, UPDATE, CONTROL, or ALTER authority on a resource. The values that are returned depend on whether security checking is enabled (SEC=YES) and whether resource security checking is enabled for the relevant resource class: for example, that the XFCT=YES system initialization parameter is set for the resource type of FILE.
Table 1. Effect of SIT parameters on QUERY SECURITY commands
SIT parameter RACF® Access cvda from QUERY SECURITY READ cvda from QUERY SECURITY UPDATE cvda from QUERY SECURITY CONTROL cvda from QUERY SECURITY ALTER
SEC=YES
Xnnnn=YES
NONE
READ
UPDATE
CONTROL
ALTER
NOTREADABLE
READABLE
READABLE
READABLE
READABLE
NOTUPDATABLE
NOTUPDATABLE
UPDATABLE
UPDATABLE
UPDATABLE
NOTCTRLABLE
NOTCTRLABLE
NOTCTRLABLE
CTRLABLE
CTRLABLE
NOTALTERABLE
NOTALTERABLE
NOTALTERABLE
NOTALTERABLE
ALTERABLE
SEC=NO
Xnnnn=NO
 n/a READABLE UPDATABLE CTRLABLE ALTERABLE

QUERY SECURITY

Read syntax diagramSkip visual syntax diagramQUERY SECURITYRESTYPE( data-value)RESCLASS( data-value)RESIDLENGTH( data-value)RESID( data-value)LOGMESSAGE( cvda)USERID( data-value)READ( cvda)UPDATE( cvda)CONTROL( cvda)ALTER( cvda)

Conditions: INVREQ, LENGERR, NOTAUTH, NOTFND, QIDERR, USERIDERR

This command is threadsafe.

Description

The QUERY SECURITY command allows the application to determine whether a user has access to resources defined in RACF. These resources can be in CICS® resource classes or in user-defined resource classes.

Before calling RACF, for all resources except PSBs, CICS checks that the resource is installed. If the resource does not exist, CICS does not call RACF and returns the NOTFND condition.

If USERID is not specified, the user to be queried is the user that invokes the transaction issuing the QUERY SECURITY command.

Alternatively, the application can query the security authorization of a different user that is specified in the USERID option.

For more information on the use of the QUERY SECURITY command, see Security checking using the Query Security command.

Options

ALTER(cvda)
Query whether the user has ALTER authority for the named resource. The cvda values returned by CICS are ALTERABLE and NOTALTERABLE.
CONTROL(cvda)
Query whether the user has CONTROL authority for the named resource. The cvda values returned by CICS are CTRLABLE and NOTCTRLABLE.
LOGMESSAGE(cvda)
Inhibit security violation messages. The values passed to CICS are LOG (the default value), or, to inhibit messages, NOLOG.
READ(cvda)
Query whether the user has READ authority command for the named resource. The cvda values returned by CICS are READABLE and NOTREADABLE. READ access authority usually permits nondestructive use of a resource as, for example, in the case of READ and INQUIRE commands.
RESCLASS(data-value)
Specifies an 8-character field identifying the name of a valid resource class, which could be non-CICS, in RACF. The class name identified by RESCLASS is treated literally with no translation.

The RACF classes DATASET, GROUP, and USER do not appear in the class descriptor table (CDT), which means that you cannot query against these classes. For CICS resource classes, the class name must be the member class, not the group class; that is, CCICSCMD, not VCICSCMD.

If the ESM is RACF, the class can be CICS-supplied or user-defined. RESCLASS enables you to define more narrowly the authorization to be queried; for example, you can query at the record or field level.

To query a user's surrogate authority, you can use the QUERY SECURITY command with the RESCLASS('SURROGAT') option. You also need to specify the RESID and RESIDLENGTH options. However, this command is not controlled by the XUSER system initialization parameter, so you might obtain an unexpected response of NOTREADABLE if XUSER=NO has been specified.

The responses returned by the command reflect the definition of the RESID resource as defined in the specified RESCLASS.

RESID(data-value)
Specifies the name of the CICS or user-defined resource that you want to query the users access to. The value is a character string (1-12 characters for a CICS resource, and 1-246 characters for a user-defined resource, unless you are using the COBOL3 translator option in which case the maximum length is 160 characters). RESID refers to a CICS-defined resource only when RESTYPE('SPCOMMAND') is specified; otherwise, it refers to a user-defined resource.
When defining RESID values, be aware of the effects of using blanks (X'40') in resource identifiers. For example, in: 
QUERY SECURITY RESTYPE('PSB') RESID('A B')
the blank delimits the RESID and causes RACF to use a resource name of A.
Note that the actual resource checked depends on whether RESCLASS or RESTYPE is specified in the command and whether prefixing is active (SECPRFX=YES or SECPRFX=prefix specified as a system initialization parameter).
  • If RESCLASS is specified, the resource checked is always the actual RESID data-value, whether or not prefixing is on or off. Prefixing, as specified in the SECPRFX system initialization parameter, does not apply to QUERY SECURITY RESCLASS.
  • If RESTYPE is specified and prefixing is not active (SECPRFX=NO), the resource checked is the specified RESID value.
  • Otherwise the resource checked is the RESID value prefixed with either the CICS region userid (if SECPRFX=YES), or another prefix (if SECPRFX=prefix). For example, if you issue the following command: 
    QUERY SECURITY RESTYPE('FILE') RESID('PAYFILE')
    • When SECPRFX=YES, CICS applies the CICS region userid as a prefix, and calls RACF to check the user's access to cics_region_userid.PAYFILE.
    • When SECPRFX=prefix, CICS applies the prefix that is supplied, and calls RACF to check the user's access to prefix.PAYFILE.
    • If SECPRFX=NO is specified, CICS does not apply a prefix, and calls RACF to check the user's access to PAYFILE.
For SPCOMMAND, the identifiers are predetermined by CICS. The list of possible RESID values for SPCOMMAND is as follows:
Table 2.
A-F H-S T-X
ASSOCIATION
ATOMSERVICE
AUTINSTMODEL
AUTOINSTALL
BRFACILITY
BUNDLE
BUNDLEPART
CAPDATAPRED
CAPINFOSRCE
CAPOPTPRED
CAPTURESPEC
CFDTPOOL
CONNECTION
CSD
DB2CONN
DB2ENTRY
DB2TRAN
DISPATCHER
DOCTEMPLATE
DSNAME
DUMP
DUMPDS
ENQUEUE
EPADAPTER
EPADAPTERSET
EPADAPTINSET
EVENTBINDING
EVENTPROCESS
EXCI
EXITPROGRAM
FEPIRESOURCE
FILE

HOST
IPCONN
IRC
JOURNALMODEL
JOURNALNAME
JVMSERVER
LIBRARY
MODENAME
MONITOR
MQCONN
MQMON
MVSTCB
NODEJSAPP
OSGIBUNDLE
OSGISERVICE
PARTNER
PIPELINE
PROCESS
PROFILE
PROGRAM
REQID
REQUEST
RESETTIME
RRMS
SECURITY
SHUTDOWN
STATISTICS
STORAGE
SUBPOOL
SYSDUMPCODE
SYSTEM

TASK
TCLASS
TCPIP
TCPIPSERVICE
TDQUEUE
TEMPSTORAGE
TERMINAL
TRACEDEST
TRACEFLAG
TRACETYPE
TRANDUMPCODE
TRANSACTION
TSQUEUE
TSMODEL
TSPOOL
TYPETERM
UOW
UOWDSNFAIL
UOWENQ
UOWLINK
URIMAP
VOLUME
VTAM®
WEB
WEBSERVICE
XMLTRANSFORM
RESIDLENGTH(data-value)
Specifies the length, as a fullword binary, of the resource identifier in RESID. You only use this parameter when specifying the RESCLASS option. The maximum length of a resource (RESID) within a RACF class is specified in the class descriptor table (CDT).
RESTYPE(data-value)
Specifies the type of resource (1–12 characters) you want to query the user's access to.

If the resource is not defined to RACF®, CICS does not grant access and the response is NOTREADABLE. Ensure the length of the resource name passed to RACF with a RESTYPE request is the actual maximum length for that resource type.

The value you specify for RESTYPE must be one of the following resource types:

Table 3. QUERY SECURITY RESTYPE values
RESTYPE value Xname parameter
ATOMSERVICE XRES
BUNDLE XRES
DB2ENTRY XDB2
DOCTEMPLATE XRES
EPADAPTER XRES
EPADAPTERSET XRES
EVENTBINDING XRES
FILE XFCT
JOURNALNAME XJCT
JOURNALNUM (supported for compatibility with previous releases) XJCT
JVMSERVER XRES
PROGRAM XPPT
PSB XPSB
SPCOMMAND (used to specify a CICS-defined resource for a command) XCMD
TDQUEUE XDCT
TRANSACTION XPCT
TRANSATTACH XTRAN
TSQUEUE XTST
TSQNAME XTST
XMLTRANSFORM XRES
n/a XHFS
The XHFS system initialization parameter controls resource security for zFS files and does not have a corresponding RESTYPE value on the QUERY SECURITY command. Access controls for zFS files follow the system of permissions used by z/OS® UNIX System Services, so they operate in a different way.

With dynamic transaction routing, you do not have to install transaction definitions in terminal owning regions. A QUERY SECURITY command with a RESTYPE of TRANSATTACH returns the NOTFND condition if the transaction is not installed. Application developers must be aware that the transaction might be routed dynamically.

If you issue QUERY SECURITY RESTYPE(TRANSATTACH) RESID(tranid) READ(cvda), this command returns the CVDA value of READABLE if the user has READ authority for the resource with the name tranid, but NOTREADABLE if the user has only EXECUTE authority. Therefore, applications that use QUERY SECURITY RESTYPE(TRANSATTACH) to build a menu of available transactions will not work if EXECUTE authority is used.

The responses returned by the command reflect the results that would be obtained if an actual attempt was made to access the specified CICS resource.

UPDATE(cvda)
Query whether the user has UPDATE authority for the named resource. The CVDA values returned by CICS are UPDATABLE and NOTUPDATABLE. UPDATE access authority usually permits destructive use of a resource as, for example, in the case of WRITE, DELETE, or UPDATE commands.
USERID(data-value)
Specifies the 8-character user ID of the user whose access to the specified resources is queried.

The user who invokes the transaction issuing the QUERY SECURITY command must have necessary authority to query whether another user as specified in USERID has access to the specified resource. CICS performs a surrogate user check to verify whether the user invoking the transaction is authorized to the user specified in USERID. If the surrogate user check fails, CICS returns a NOTAUTH condition.

Conditions

16 INVREQ
RESP2 values:
7
The cvda value is not valid for the LOGMESSAGE.
9
The RESID is invalid or filled with blanks.
10
The external security manager (ESM) is inactive or not present.

Default action: terminate the task abnormally.

22 LENGERR
RESP2 values:
6
The RESIDLENGTH value is not valid, that is, not in the range 1 through 246.

Default action: terminate the task abnormally.

70 NOTAUTH
RESP2 values:
102
The surrogate user security check on the specified USERID fails.

The security access capabilities of the transaction that issued the command do not allow the command to be performed with the value specified in the USERID option.

The security access capabilities of the transaction have been established by the external security manager according to the user security, and whether link security or the execution diagnostic facility (EDF) has been in use.

Default action: terminate the task abnormally.

13 NOTFND
RESP2 values:
1
The RESID is not valid.
2
The RESTYPE is not valid.
3
The RESID value for RESTYPE (SPCOMMAND) is not valid.
5
The RESCLASS is not defined to the external security manager (ESM).
8
The resource is not protected. This is only returned when QUERY SECURITY is used with the RESCLASS option (and never occurs with RESTYPE).
Possible causes include:
  • RESCLASS not active.
  • No profile found.
  • ESM not active.

Default action: terminate the task abnormally.

44 QIDERR
RESP2 values:
1
An indirect queue name associated with the given RESID is not found.

Default action: terminate the task abnormally.

69 USERIDERR
RESP2 values:
11
The specified USERID is not known to the external security manager.
12
The specified USERID is revoked.

Examples of values returned by QUERY SECURITY=RESTYPE

 
SEC=NO
When SEC=NO is specified, issuing: 
QUERY SECURITY RESTYPE('FILE') RESID('PAYFILE') ALTER(alter_cvda)
returns: 
alter_cvda = DFHVALUE(ALTERABLE)
because SEC=NO means that no security checking is done for the entire CICS region.
SEC=YES and XFCT=NO
When SEC=YES and XFCT=NO are specified, issuing: 
QUERY SECURITY RESTYPE('FILE') RESID('PAYFILE') ALTER(alter_cvda)
returns: 
alter_cvda = DFHVALUE(ALTERABLE)
because XFCT=NO means that no security checking is done for files.
SEC=YES, XDCT=YES, and SECPRFX=NO
When SEC=YES, XDCT=YES, and SECPRFX=NO are specified, issuing: 
QUERY SECURITY RESTYPE('TDQUEUE') RESID('TDQ1') READ(read_cvda)
returns: 
read_cvda = DFHVALUE(READABLE)
if the user has READ (or higher) access to 'TDQ1' in the DCICSDCT class or the ECICSDCT group class.
SEC=YES, XTRAN=YES, and SECPRFX=YES
When SEC=YES, XTRAN=YES, and SECPRFX=YES are specified, issuing: 
QUERY SECURITY RESTYPE('TRANSATTACH') RESID('TRN1') READ(read_cvda)
returns: 
read_cvda = DFHVALUE(NOTREADABLE)
if the user does not have READ (or higher) access to cics_region_userid.TRN1 in the TCICSTRN class or GCICSTRN group class.
SEC=YES, XTRAN=YES, and SECPRFX=YES
When SEC=YES, XTRAN=YES, and SECPRFX=YES are specified, issuing: 
QUERY SECURITY RESTYPE('TRANSATTACH') RESID('TRN1') READ(read_cvda)
returns: 
read_cvda = DFHVALUE(NOTREADABLE)
if the user does not have READ (or higher) access to cics_region_userid.TRN1 in the TCICSTRN class or GCICSTRN group class.
SEC=YES, XCMD=$USRCMD, and SECPRFX=prefix
When SEC=YES, XCMD=$USRCMD, and SECPRFX=prefix are specified, issuing: 
QUERY SECURITY RESTYPE('TRANSATTACH') RESID('TRN1') READ(read_cvda)
returns: 
read_cvda = DFHVALUE(NOTREADABLE)
if the user does not have READ (or higher) access to prefix.TRN1 in the TCICSTRN class or GCICSTRN group class.