IPIC user security

User security is about using an authenticated or asserted user ID that represents the user. This user ID is known as the task user ID. The CICS® region verifies that the task user ID has the authority to initiate requests and that it has access to the resources used by the initiated tasks.

Purpose of user security

User security has multiple purposes:

It allows the propagation of the task user ID security context from the local CICS region to the remote CICS region, even when new work is started. Therefore, it allows tasks in the remote CICS region to continue to run under the initial task user ID.
It allows the remote CICS region to authorize the requests that are received from the local CICS region based on the task user ID.
It allows auditing at the task user ID level.

Determining the user security

User security causes a check of the security context that flows with each transaction request from the sending system to the target CICS region. It is controlled by the USERAUTH attribute in the IPCONN resource definition in the remote CICS region.

Figure 1 shows the security attributes defined in the resource definitions for user security.

Shows local and remote CICS regions and how the region user and task user IDs are connected — Figure 1. Resource definition attributes used for user security

The security context can identify one of the following types of user:

The user ID of the CICS transaction that issues the remote request.
The user ID that is flowed in a client request from a connected client system, such as CICS Transaction Gateway or z/OS® Connect.
The distributed identity that is flowed in a request from a connected CICS region or client system. For more information, see Identity propagation.

The user security check validates the flowed user security context either by verifying a flowed password or by using a TLS client certificate. Alternatively, in specific circumstances (see 1 ), the server can trust that the link from the sending system has already verified the identity of the request. In this case, no authentication check occurs and the server validates that only the user ID that is flowed exists in the local user registry. This condition is known as a trusted connection.

Identification and authentication

User security validates the user ID that is flowed and its password based on the USERAUTH attributes on the IPCONN resource definition. These checks are summarized in Table 1.

Table 1. Identification and authentication
USERAUTH attribute	Description
IDENTIFY (see 1 )	The asserted user ID is trusted by the remote region, but it is validated to check that RACF® knows about this user ID.
VERIFY	The client user ID and password are verified by RACF in the remote region.
LOCAL	No user ID is flowed, so no authentication is required.
DEFAULTUSER	No user ID is flowed, so no authentication is required.

1 USERAUTH(IDENTIFY) is only valid on a trusted link. Therefore, it is restricted to the following conditions:

IPIC connections that use TLS client authentication: that is, the TCPIPSERVICE resource definition specifies SSL(CLIENTAUTH).
The remote socket is established by a trusted route within the sysplex, as determined by TCP/IP and is reported in CICS by the SO_CLUSTERCONNTYPE options that are returned by z/OS Communications Server. You can inquire on this value with the CICS command INQUIRE IPCONN() CLIENTLOC().

How is the task user ID determined?

Depending on the setting of the link user ID and the USERAUTH option on the IPCONN resource definition, each user request can run under the task user ID that is shown in Table 1. However, in cases where a link user ID is also provided, it is associated with the task as a secondary user ID. This secondary user ID is used in addition to the task user ID for all checks for transaction security and resource security.

Table 2. How to identify the secondary ID when a link user ID is provided
Local CICS region: `cicsA`		Remote CICS region: `cicsB` and default User ID: `defaultUseridB`
Region user ID	Task user ID	Region user ID	USERAUTH on IPCONN	Link user ID *	Task user ID
`regionUseridA`	`taskUseridA`	`regionUseridB`	LOCAL	`linkUseridB`	`linkUseridB`
`regionUseridA`	`taskUseridA`	`regionUseridB`	LOCAL	`regionUseridA`	`defaultUseridB` **
`regionUseridA`	`taskUseridA`	`regionUseridB`	IDENTIFY or VERIFY	`linkUseridB`	`taskUseridA`
`regionUseridA`	`taskUseridA`	`regionUseridB`	IDENTIFY or VERIFY	`regionUseridA`	`taskUseridA`
`regionUseridA`	`taskUseridA`	`regionUseridB`	DEFAULTUSER	`linkUseridB`	`defaultUseridB` **
`regionUseridA`	`taskUseridA`	`regionUseridB`	DEFAULTUSER	`regionUseridA`	`defaultUseridB` **

* The link user ID can be either pre-defined in the IPCONN resource definition or set dynamically based on the TLS client certificate that is used for the inbound IPCONN resource definition. If the link user ID is not set in these ways, it defaults to the region user ID. See How it works: IPIC link security.

Recommended: ** Avoid use of the default user ID as the task user ID. The default user ID must not have authority to access resources or run transactions other than CAT 3 transactions.