We use MQ trigger monitor CSQQTRMN to trigger IMS message driven transaction.
The IMS transaction issues RACF call PLITDLI (THREE, AUTH,PCB1, AUTH_IO) to check if user has authorization to execute a requested function but the userid that triggers transactions is always CSQQTRMN.
Is there a way to plug in user id in the IMS triggered transaction before application calls RACF?
This topic has been locked.
1 reply Latest Post - 2010-06-29T19:24:01Z by KevinStewart
Pinned topic IMS V9 Auth Call / MQ trigger Monitor CSQQTRMN
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2010-06-29T19:24:01Z at 2010-06-29T19:24:01Z by KevinStewart
KevinStewart 060000X9PQ1 PostACCEPTED ANSWER
Re: IMS V9 Auth Call / MQ trigger Monitor CSQQTRMN2010-06-29T19:24:01Z in response to usalaludThe short answer to this is 'NO'. A transaction that originates from the MQ Trigger Monitor BMP will have either the BMP's PSBNAME as userid, or the USER= userid from BMP JCL, depending on what is specified for IMS startup parametr BMPUSID=.
I think you can see that an API to alter the userid associated with an input message is itself a security exposure.
If you replace the MQ Trigger Monitor BMP with the MQ OTMA Bridge, the transactions will arrive via OTMA and can include a 'correct' enduser userid as part of the OTMA prefix sent to IMS. In that case, your problem is solved since the transaction will run with that userid.