Using the QUERY SECURITY command

A typical use of the QUERY SECURITY command is to check whether a user is authorized to use a particular transaction before displaying the transaction code in a menu.

Security protection at the record or field level

Another use for QUERY SECURITY is to enable you to control access to data at the record or field level. The normal CICS® resource security checking for file resources, for example, works only at the file level. To control access to individual records, or even fields within records, you can use QUERY SECURITY. For this purpose, your security administrator must define resource profile names, with appropriate access authorizations, for the records or fields that you want to protect. These profiles are defined in user resource classes defined by the administrator, not in CICS resource classes.

To query these classes and resources, the QUERY SECURITY command uses the RESCLASS and RESID options (RESCLASS and RESTYPE are mutually exclusive options). You can use the CVDA values returned by QUERY SECURITY to determine whether to access the record or field.

CICS-defined resource identifiers

In all cases except for the SPCOMMAND resource type, the resource identifiers are user-defined. However, for the SPCOMMAND type, the identifiers are fixed by CICS. The CICS RACF® Security Guide details the possible RESID values for the SPCOMMAND resource type.

SEC system initialization parameter

The setting of the SEC system initialization parameter affects the CVDA values returned by the QUERY SECURITY command. The SEC system initialization parameters are described in more detail in the CICS RACF Security Guide.

Programming hints

 

[[ Contents Previous Page | Next Page Index ]]