Application-specific security (QUERY SECURITY)

In general, it is not advisable for application code to do all its own security checking; this should be the responsibility of CICS. But in some cases you might want to include your own security checking in an application program, perhaps to enhance the user experience or to simplify the application.

The QUERY SECURITY command determines the level of access that a user has to a particular resource. Then the application program uses the values returned by the command to determine what action to take. The QUERY SECURITY command does not itself grant or deny access to a resource.

Here are some examples of how you might use QUERY SECURITY:
  • Produce a menu application of only those options that a user is allowed to use. This can simplify the application design because all users have the same initial transaction but the navigation through the application depends on their individual authority. Figure 1 shows the difference that this makes to the flow of the application.
  • Securing non-CICS resources. For example, you might have all customer records in one file but only allow users to access records in their region. You can define your own RACF class, with a series of profiles for each region.
  • Check if a user has access to all resources required before executing a series of API requests. This can simplify error recovery and improve the user experience. For example, an application requires access to three files. The user updates the first two files but finds that they don’t have access to the last file. Correcting this situation requires a syncpoint rollback. It could be easier to return a message before the API requests start.
Figure 1. Application flows without and with QUERY SECURITY
Two flow charts side by side depicting application flows without and then with QUERY SECURITY

You can query whether a user has READ, UPDATE, CONTROL, or ALTER authority on a resource.

There are two forms of the QUERY SECURITY command:
QUERY SECURITY RESTYPE
QUERY SECURITY RESTYPE enables an application program to request from RACF the level of access a terminal user has to a specified resource for the environment in which the transaction is running. You can query access levels to CICS resources (including Db2® resource definitions) that are contained in the RACF classes activated at initialization by RACLIST. RESTYPE is a resource type that corresponds to one of the set of system initialization parameters that start with X, known as the Xnnn parameters. These Xnnn parameters activate resource security checking with the exception of z/OS UNIX files. There is an additional resource type, SPCOMMAND, that corresponds to the XCMD system initialization parameter used to activate command security checking.

Before calling RACF, for all resources except PSBs, CICS checks that the resource is installed. If the resource does not exist, CICS does not call RACF and returns the NOTFND condition.

QUERY SECURITY RESCLASS
Queries access levels for non-CICS resources that are contained in RACF general resource classes, such as TERMINAL, FACILITY, or a similar resource class that you have defined.

For information about using QUERY SECURITY, see QUERY SECURITY.