Controlling Impersonation Behavior

To control user impersonation in the machine.config file, you enable or disable the following impersonation settings:

You enable or disable these options in conjunction with each other to set the configuration that you want. The four combinations available are detailed below:

impersonateUsers False, impersonateDefaultUser False
This is the default setting. All code runs under the user account that started the session.
impersonateUsers False, impersonateDefaultUser True

Sessions always run under the default user account. EXEC CICS SIGNON verifies user credentials, but does not change the session's impersonation identity.

This setting is useful when you want to run all application code under a reduced-privilege account and stitching identities it is not necessary.

impersonateUsers True, impersonateDefaultUser True

Impersonation is fully enabled, and sessions run under the default user account. EXEC CICS SIGNON changes the user account to the logged on user account.

impersonateUsers True, impersonateDefaultUser False

Sessions run under the user account that started the session. EXEC CICS SIGNON changes the user account to the logged on user account.

This configuration is useful for testing user-based security or if only some applications need to run under a special account.