Using Alternate User IDs with APPC/VM

To authorize another virtual machine to access a data space, the application in the owning virtual machine calls the DMSSPCP (Permit Address Space Access) routine, specifying the logon ID (user ID) of the virtual machine to be permitted access. In cases where the owner of the data space is a server (for example, Shared File System (SFS)), the server usually obtains this user ID from information that is supplied by APPC when the APPC connection is established between the user and the server.

When a worker virtual machine (one that does work for other user virtual machines) is involved, however, there is an additional consideration, because worker virtual machines can run with an alternate user ID in effect. The alternate user ID is the user ID of the virtual machine on whose behalf the worker machine is performing the task. When the worker using an alternate user ID connects with the resource owner, APPC/VM reports the alternate user ID, rather than the logon ID, as the identity of the virtual machine making the connection.

Depending on how the application is written, a worker virtual machine might require access to a data space to perform work on behalf of the requester (user). In this case, the worker’s identity needs to be known because it is the worker virtual machine that needs to access the resource on behalf of the user. The virtual configuration identification token (VCIT) provides the identity of the APPC/VM connecting virtual machine, in this case the worker virtual machine. Thus, when a worker virtual machine is to be the permitted user of a data space, the resource owner virtual machine would specify the VCIT for the user parameter along with the VCIT option on the DMSSPCP routine, rather than specifying the alternate user ID.

A virtual machine using APPC/VM to communicate will have the VCIT of the connecting virtual machine passed as part of the connection pending extended data provided on an APPC connection request. When an APPC connection flows through TSAF, AVS, or an ISFC line (that is, when the connection originates outside of the system containing the target virtual machine), the VCIT field is zeros.

Note: Virtual Machine Communication Facility (VMCF) and Inter-User Communication Vehicle (IUCV) communication always supply the logon ID and never an alternate user ID or secure VCIT on their connection requests. Therefore, data space access permission must be granted using the user ID of the virtual machine making the connection (for example, a worker virtual machine) when using either of these means of communication.