Security for MQCONN and MQMONITOR commands

Use CICS® command security to control users' ability to issue SPI commands against MQCONN and MQMONITOR resource definitions. For example, you can use it to control which users are allowed to issue CREATE and DISCARD commands against the MQCONN resource definition for the CICS region.

When command security is enabled for a transaction, the external security manager checks that the user ID associated with the transaction is authorized to use the command on the MQCONN or MQMONITOR resource as appropriate. Resource security is not available for MQCONN and MQMONITOR resources.

CICS command security covers the EXEC CICS CREATE MQCONN, DISCARD MQCONN, SET MQCONN, INQUIRE MQCONN, CREATE MQMONITOR, DISCARD MQMONITOR, SET MQMONITOR, and INQUIRE MQMONITOR commands. For an explanation of command security and instructions to set up command security for a CICS region, see CICS command security. For a listing of the level of authority required for each command, see Resource and command check cross-reference.

When command security is active, to use the EXEC CICS SET MQCONN command to start or stop the connection to WebSphere® MQ, users must have authority to use the EXEC CICS SET MQCONN command, authority to issue EXEC CICS START commands for the transaction associated with the installed MQMONITOR resources, and also the authority to use the EXEC CICS EXTRACT EXIT command. If a user attempts to start or stop the connection when they do not have authority to use the EXEC CICS EXTRACT EXIT command, CICS issues messages DFHXS1111 and DFHMQ0302. If a user does not have authority to issue command EXEC CICS START specifying the transaction associated with the MQMONITOR, CICS issues message DFHMQ0390. User-written MQMONITOR programs must have authority to the EXEC CICS SET MQMONITOR command.