MSS emulates the behavior of the QUERY SECURITY CICS command by calling a user exit program. On the mainframe the QUERY SECURITY command interrogates an external security manager (ESM) such as IBM's RACF and returns information to the application about the level of access that a particular end-user is allowed to have to a particular resource. The user exit program must return the same information.
A default user exit program is supplied, and as supplied, this program returns NOT for all types of access. In other words, if your CICS application issues the QUERY SECURITY command, the result is always that access is denied. If you want any other behavior, you must alter the supplied exit program.