To query the security authorization of the user.

QUERY SECURITY
>>-QUERY SECURITY----------------------------------------------->
>--+-RESTYPE(data-value)---------------------------+------------>
'-RESCLASS(data-value)--RESIDLENGTH(data-value)-'
>--RESID(data-value)--+------------------+--+------------+------>
'-LOGMESSAGE(cvda)-' '-READ(cvda)-'
>--+--------------+--+---------------+--+-------------+--------><
'-UPDATE(cvda)-' '-CONTROL(cvda)-' '-ALTER(cvda)-'
Conditions: INVREQ, LENGERR, NOTFND, QIDERR
Description
QUERY SECURITY allows the application
to determine whether the user has access to resources defined in the external
security manager (ESM). These
resources can be:
- In CICS® resource
classes
- In user-defined resource classes
The user in this context is the user invoking the transaction
that contains the QUERY SECURITY command.
For more information
on the use of the QUERY SECURITY command, see CICS RACF® Security Guide.
Options
- ALTER(cvda)
- enables
you to query whether the user has ALTER authority for the named resource.
The cvda values returned by CICS are ALTERABLE and NOTALTERABLE.
- CONTROL(cvda)
- enables
you to query whether the user has CONTROL authority for the named resource.
The cvda values returned by CICS are CTRLABLE and NOTCTRLABLE.
- LOGMESSAGE(cvda)
- enables
you to inhibit security violation messages. The values passed to CICS are
LOG (the
default value), or, to inhibit messages, NOLOG.
- READ(cvda)
- enables
you to query whether the user has READ authority command for the named resource.
The cvda values returned by CICS are READABLE and NOTREADABLE. READ
access authority usually permits nondestructive use of a resource as, for
example, in the case of READ and INQUIRE commands.
- RESCLASS(data-value)
- specifies
an 8-character field identifying the name of a valid resource class, that
could be non-CICS, in the ESM. The class name identified
by RESCLASS is treated literally with no translation.
If the ESM is RACF,
the class can be CICS-supplied or user-defined. RESCLASS enables you to define
more narrowly the authorization to be queried; for example, you can query
at the record or field level.
The responses returned by the command
reflect the definition of the RESID resource as defined in the specified RESCLASS.
- RESID(data-value)
- specifies
the name of the CICS or user-defined resource that you want to query the users
access to. The value is a character string (1-12 characters for a CICS resource,
and 1-246 characters for a user-defined resource, unless you are using the
COBOL3 translator option in which case the maximum length is 160 characters).
Note: RESID refers
to a CICS-defined resource only when RESTYPE('SPCOMMAND') is specified, otherwise
it refers to a user-defined resource. For a list of the CICS RESID values
that you can use when RESTYPE('SPCOMMAND') is specified, see
CICS RACF Security Guide.
Note
that the actual resource checked depends on whether RESCLASS or RESTYPE is
specified in the command and whether prefixing is active (SECPRFX=YES or SECPRFX=prefix specified
as a system initialization parameter).
If RESCLASS is specified, the
resource checked is always the actual RESID data-value, whether or not prefixing
is on or off. IF RESTYPE is specified and SECPRFX=NO, the resource checked
is the RESID data-value as specified. Otherwise the resource checked is the
RESID data-value prefixed with either the CICS region userid (if SECPRFX=YES),
or another prefix (if SECPRFX=prefix).
- RESIDLENGTH(data-value)
- specifies
the length, as a fullword binary, of the resource identifier in RESID. You
only use this parameter when specifying the RESCLASS option.
- RESTYPE(data-value)
- specifies
the type of resource (1–12 characters) you want to query the user's access
to.
The responses returned by the command reflect the results that
would be obtained if an actual attempt was made to access the specified CICS
resource. The value you specify for RESTYPE must be one of the following resource
types:
DB2ENTRY
FILE
JOURNALNAME
JOURNALNUM2
PROGRAM
PSB
SPCOMMAND1
TDQUEUE
TRANSACTION
TRANSATTACH
TSQUEUE [8 byte TS queue names]
TSQNAME [16 byte TS queue names]
1 See CICS RACF Security Guide.
2 Supported for compatibility with earlier releases.
With dynamic transaction routing, it is not necessary to install
transaction definitions in terminal owning regions. A QUERY SECURITY command
with a RESTYPE of TRANSATTACH returns the NOTFND condition if the transaction
is not installed. Programmers, however, should be aware that the transaction
may be routed dynamically.
- UPDATE(cvda)
- enables
you to query whether the user has UPDATE authority for the named resource.
The cvda values returned by CICS are UPDATABLE and NOTUPDATABLE. UPDATE
access authority usually permits destructive use of a resource as, for example,
in the case of WRITE, DELETE, or UPDATE commands.
Conditions
- INVREQ
- RESP2
values:
- 7
- The cvda value is not valid for the LOGMESSAGE.
- 9
- The RESID is invalid or filled with blanks.
- 10
- The external security manager (ESM) is inactive or not present.
Default action: terminate the task abnormally.
- LENGERR
- RESP2
values:
- 6
- The RESIDLENGTH value is not valid, that is, not in the range 1 through
246.
Default action: terminate the task abnormally.
- NOTFND
- RESP2
values:
- 1
- The RESID is not valid.
- 2
- The RESTYPE is not valid.
- 3
- The RESID value for RESTYPE (SPCOMMAND) not valid.
- 5
- The RESCLASS is not defined to the external security manager (ESM).
- 8
- The resource is not protected. This is only returned when QUERY SECURITY
is used with the RESCLASS option (and never occurs with RESTYPE).
Possible
causes include:
- RESCLASS not active.
- No profile found.
- ESM not active.
Default action: terminate the task abnormally.
- QIDERR
- RESP2
values:
- 1
- An indirect queue name associated with the given RESID is not found.
Default action: terminate the task abnormally.