What Does 'Impersonation' Actually Do?

We have been struggling to get a grasp on Impersonation under CICS. We have an RPC Server running, but the actual implications of what ‘impersonation’ still seem to ellude us.

From the documentation:

What are the implications? What value should be in some of the system variables when executing a Natural object through a CICS RPC Server with Impersonation? e.g. What will be the values for:


Our specific issue appears to be that when the RPC Server task is started under CICS, the user (or owner) associated with that task is the user-id that is loaded into *INIT-USER as well as in the ‘control block’ that is utilized or referenced by CICS as well as by RACF in our case. Thus, even though we pass a user-id through the web service, we are not able to truly verify authority with RACF as the user-id that is passed is not the user-id that gets loaded into *INIT-USER or the ‘control block’. We were hoping to be able to leverage our existing security infrastructure as we modernize our system.

Just looking to get a discussion going on Impersonation, what it ‘truly’ is or will do, who is using, how, etc.


Versions of Stuff:
Natural 4.2.6
Natural CICS Interface 4.2.6
Natural for DB2 4.3.1
z/OS 1.10.00
Natural nucleus version : 4.2.6
Natural system file version : 4.2.6 service pack 5
Natural RPC version : 6.3.3 update level 3
Natural RPC front-end version : 6.3.2

I don’t know to which ‘control block’ that is utilized or referenced by CICS as well as by RACF you are referring. If you access the ACEE in the impersonated CICS task using EXEC CICS ADDRESS ACEE() you get the ACEE for the impersonated user ID (which is the client user ID in the LOGON data).
*INIT-USER contains indeed always the user ID of the user who has started the RPC server front-end.
Best regards

I believe RACF is accessing data in the ACEE.

Can you give a specific example of

What is LOGON data? What user ID do you expect to be in there?


CICS RPC Server with Impersonation is started as a task under owner TXU.

A web service is called with following in SOAP Header:
RPC-User = Natural-User-ID <---- This is the user ID we are trying to impersonate
RPC PW = Natural-User-ID-PW

The web service returns system variables, and shows the following values:

*INIT-USER = TXU <-------- The owner that started the task
*USER = Natural-User-ID

I am 99.99% certain that the ACEE block contains ‘TXU’ as a user ID. This is the result of TXU being the ‘user’ that created/initiated the CICS connection. The ACEE does not get overlaid/updated through Impersonation.

Is that what you would expect?

are your RPC User IDs the same as the RACF User IDs? If so, use the Natural Security Logon Option to ensure that the user id is authenticated by EntireX Security and the two id’s are the same. Then *USER will be your ACEE user id.