QUERY SECURITY

Query the security authorization of a user.

QUERY SECURITY

Read syntax diagramSkip visual syntax diagramQUERY SECURITYRESTYPE( data-value)RESCLASS( data-value)RESIDLENGTH( data-value)RESID( data-value)LOGMESSAGE( cvda)USERID( data-value)READ( cvda)UPDATE( cvda)CONTROL( cvda)ALTER( cvda)

Conditions: INVREQ, LENGERR, NOTAUTH, NOTFND, QIDERR, USERIDERR

This command is threadsafe.

Description

The QUERY SECURITY command allows the application to determine whether a user has access to resources defined in the external security manager (ESM). These resources can be in CICS® resource classes or in user-defined resource classes.

If USERID is not specified, the user to be queried is the user that invokes the transaction issuing the QUERY SECURITY command.

Alternatively, the application can query the security authorization of a different user that is specified in the USERID option.

For more information on the use of the QUERY SECURITY command, see Security checking using the Query Security command.

Options

ALTER(cvda)
Query whether the user has ALTER authority for the named resource. The cvda values returned by CICS are ALTERABLE and NOTALTERABLE.
CONTROL(cvda)
Query whether the user has CONTROL authority for the named resource. The cvda values returned by CICS are CTRLABLE and NOTCTRLABLE.
LOGMESSAGE(cvda)
Inhibit security violation messages. The values passed to CICS are LOG (the default value), or, to inhibit messages, NOLOG.
READ(cvda)
Query whether the user has READ authority command for the named resource. The cvda values returned by CICS are READABLE and NOTREADABLE. READ access authority usually permits nondestructive use of a resource as, for example, in the case of READ and INQUIRE commands.
RESCLASS(data-value)
Specifies an 8-character field identifying the name of a valid resource class, which could be non-CICS, in the ESM. The class name identified by RESCLASS is treated literally with no translation.

If the ESM is RACF®, the class can be CICS-supplied or user-defined. RESCLASS enables you to define more narrowly the authorization to be queried; for example, you can query at the record or field level.

The responses returned by the command reflect the definition of the RESID resource as defined in the specified RESCLASS.

RESID(data-value)
Specifies the name of the CICS or user-defined resource that you want to query the users access to. The value is a character string (1-12 characters for a CICS resource, and 1-246 characters for a user-defined resource, unless you are using the COBOL3 translator option in which case the maximum length is 160 characters).
Note: RESID refers to a CICS-defined resource only when RESTYPE('SPCOMMAND') is specified; otherwise, it refers to a user-defined resource. For a list of the CICS RESID values that you can use when RESTYPE('SPCOMMAND') is specified, see RESID values.

Note that the actual resource checked depends on whether RESCLASS or RESTYPE is specified in the command and whether prefixing is active (SECPRFX=YES or SECPRFX=prefix specified as a system initialization parameter).

If RESCLASS is specified, the resource checked is always the actual RESID data-value, whether or not prefixing is on or off. If RESTYPE is specified and prefixing is not active (SECPRFX=NO), the resource checked is the specified RESID value. Otherwise the resource checked is the RESID value prefixed with either the CICS region userid (if SECPRFX=YES), or another prefix (if SECPRFX=prefix).

RESIDLENGTH(data-value)
Specifies the length, as a fullword binary, of the resource identifier in RESID. You only use this parameter when specifying the RESCLASS option.
RESTYPE(data-value)
Specifies the type of resource (1–12 characters) you want to query the user's access to.

The responses returned by the command reflect the results that would be obtained if an actual attempt was made to access the specified CICS resource. The value you specify for RESTYPE must be one of the following resource types:

Table 1. QUERY SECURITY RESTYPE values
RESTYPE value Xname parameter
ATOMSERVICE XRES
BUNDLE XRES
DB2ENTRY XDB2
DOCTEMPLATE XRES
EPADAPTER XRES
EPADAPTERSET XRES
EVENTBINDING XRES
FILE XFCT
JOURNALNAME XJCT
JOURNALNUM 1 XJCT
JVMSERVER XRES
PROGRAM XPPT
PSB XPSB
SPCOMMAND 2 XCMD
TDQUEUE XDCT
TRANSACTION XPCT
TRANSATTACH XTRAN
TSQUEUE XTST
TSQNAME XTST
XMLTRANSFORM XRES
  1. Supported for compatibility with earlier releases.
  2. SPCOMMAND is a resource type that you can use to specify a RESID for a command.

The XHFS system initialization parameter controls resource security for zFS files and does not have a corresponding RESTYPE value on the QUERY SECURITY command. Access controls for zFS files follow the system of permissions used by z/OS® UNIX System Services, so they operate in a different way.

With dynamic transaction routing, you do not have to install transaction definitions in terminal owning regions. A QUERY SECURITY command with a RESTYPE of TRANSATTACH returns the NOTFND condition if the transaction is not installed. Application developers must be aware that the transaction might be routed dynamically.

If you issue QUERY SECURITY RESTYPE(TRANSATTACH) RESID(tranid) READ(cvda), this command returns the CVDA value of READABLE if the user has READ authority for the resource with the name tranid, but NOTREADABLE if the user has only EXECUTE authority. Therefore, applications that use QUERY SECURITY RESTYPE(TRANSATTACH) to build a menu of available transactions will not work if EXECUTE authority is used.

UPDATE(cvda)
Query whether the user has UPDATE authority for the named resource. The CVDA values returned by CICS are UPDATABLE and NOTUPDATABLE. UPDATE access authority usually permits destructive use of a resource as, for example, in the case of WRITE, DELETE, or UPDATE commands.
USERID(data-value)
Specifies the 8-character user ID of the user whose access to the specified resources is queried.

The user who invokes the transaction issuing the QUERY SECURITY command must have necessary authority to query whether another user as specified in USERID has access to the specified resource. CICS performs a surrogate user check to verify whether the user invoking the transaction is authorized to the user specified in USERID. If the surrogate user check fails, CICS returns a NOTAUTH condition.

Conditions

16 INVREQ
RESP2 values:
7
The cvda value is not valid for the LOGMESSAGE.
9
The RESID is invalid or filled with blanks.
10
The external security manager (ESM) is inactive or not present.

Default action: terminate the task abnormally.

22 LENGERR
RESP2 values:
6
The RESIDLENGTH value is not valid, that is, not in the range 1 through 246.

Default action: terminate the task abnormally.

70 NOTAUTH
RESP2 values:
102
The surrogate user security check on the specified USERID fails.

The security access capabilities of the transaction that issued the command do not allow the command to be performed with the value specified in the USERID option.

The security access capabilities of the transaction have been established by the external security manager according to the user security, and whether link security or the execution diagnostic facility (EDF) has been in use.

Default action: terminate the task abnormally.

13 NOTFND
RESP2 values:
1
The RESID is not valid.
2
The RESTYPE is not valid.
3
The RESID value for RESTYPE (SPCOMMAND) is not valid.
5
The RESCLASS is not defined to the external security manager (ESM).
8
The resource is not protected. This is only returned when QUERY SECURITY is used with the RESCLASS option (and never occurs with RESTYPE).
Possible causes include:
  • RESCLASS not active.
  • No profile found.
  • ESM not active.

Default action: terminate the task abnormally.

44 QIDERR
RESP2 values:
1
An indirect queue name associated with the given RESID is not found.

Default action: terminate the task abnormally.

69 USERIDERR
RESP2 values:
11
The specified USERID is not known to the external security manager.
12
The specified USERID is revoked.