Integration server user IDs on z/OS

On z/OS®, you can specify an alternative user ID to run an integration server so that it accesses resources according to the permissions assigned to it, rather than the permissions assigned to the main integration node user ID.

You can specify an alternative user ID to run an integration server, which means that you can run one or more message flows under a different user ID from the main integration node ID. When external resources are accessed by a message flow, access is granted according to the permissions assigned to the user ID that is running the integration server. By having different user IDs for different integration servers, you can control the access to resources at the level of the integration server rather than at the level of the main integration node user ID. The user IDs for the integration servers must be in the same primary group as the main integration node user ID, so that shared resources can be read and updated.

On z/OS, the user ID assigned to the integration node is the started task (STC) user ID that is assigned to the started task JCL. By default, each integration node on z/OS has a single started task JCL, which is used to start the main integration node address space and all associated integration server address spaces. However, you can specify a different started task JCL, and therefore a different user ID, for one or more integration servers. As a result, integration servers can be started using a different started task JCL and run under different user IDs with different permissions to access resources. For example, an integration server can access messages from WebSphere® MQ through the integration server's task ID (rather than the main integration node ID) by default. Integration servers can also access files according to the permissions that are assigned to the integration server's user ID.

You can specify the required environment variable in the main integration node profile, BIPBPROF. You can use the MQSI_STARTEDTASK_FIXED_integrationServerName, MQSI_STARTEDTASK_MULTI_integrationServerName, or MQSI_STARTEDTASK_DEFAULT environment variables to specify a different started task and user ID, for one or more integration servers (where integrationServerName is the name of your integration server). These environment variables override the started task and user ID that are associated with the integration node, and replace them with the started task and user ID associated with a specific integration server:
  • Use the MQSI_STARTEDTASK_FIXED_integrationServerName=STC environment variable to specify the name of one or more integration servers (where integrationServerName is the last 8 characters of the integration server name, and STC is the name of the integration server started task JCL). For example, specify 1DEFAULT in place of integrationServerName to override an integration server called TEST1DEFAULT. If multiple integration servers end with the same 8 characters, all will be overridden; for example, TEST11DEFAULT would be overridden, but TEST12DEFAULT would not.
  • Use the MQSI_STARTEDTASK_MULTI_integrationServerName=STC environment variable to override the user ID for multiple integration servers (where integrationServerName functions as a wildcard and STC is the name of the started task JCL that is used to start each of the integration servers). For example, specify MQ05 in place of integrationServerName to override the user ID for any integration servers in which the last 8 characters start with MQ05.
  • Use the MQSI_STARTEDTASK_DEFAULT=STC environment variable to override the started task JCL (STC) for all integration servers, unless it is overridden by the MQSI_STARTEDTASK_FIXED_integrationServerName or MQSI_STARTEDTASK_MULTI_integrationServerName environment variable.

For information about how to define a user ID on an integration server, see Specifying an alternative user ID to run an integration server on z/OS.