Oracle User Impersonation Configuration

To find the appropriate database user credentials for CICS transactions or batch jobs, the Oracle XA switch module uses proxy authentication, calling the OCI function OCIAttrSet() with the parameter OCI_ATTR_PROXY_CLIENT. For this call to work properly, you must include an ALTER USER GRANT CONNECT THROUGH statement in your Oracle user credentials environment. This enables the xa_open user ID to impersonate the appropriate database user ID.

The following is provided as a simple example. Your security and database environment might dictate a different implementation. Please review the Oracle documentation on proxy authentication and other related topics before implementing your solution:

  1. Create the user cited in the xa_open string:
    CREATE USER XAOPENUSER IDENTIFIED BY XAOPENUSER 
    GRANT "CONNECT" TO MFESPROXY
  2. Create the user FRITZ to execute CICS or JCL:
    CREATE USER FRITZ IDENTIFIED BY FRITZ
    GRANT "CONNECT” TO FRITZ
  3. Grant database privileges to FRITZ:
    GRANT ALL ON SCHEMA1.TABLE1 TO FRITZ
    GRANT "RESOURCE" TO FRITZ
  4. Grant impersonate privileges to the xa_open string user to enable the xa_open string user to become FRITZ:
    ALTER USER FRITZ GRANT CONNECT THROUGH XAOPENUSER