User authentication is how the system and your application know who is using the program. On the mainframe, users usually sign on to the environment (e.g. TSO, CICS) before running COBOL; security products like RACF handle sign-on and resource protection. Your COBOL program can then use the established user identity for application-level checks. This page explains the layers of authentication and how they relate to COBOL.
Authentication is proving who you are—like showing an ID. On the mainframe, the user signs on with a user ID and password; the system checks them. Once signed on, every program that runs for that user runs "as" that user. The COBOL program can ask "who is the current user?" and then allow or deny certain actions based on that.
Authentication and authorization happen at several levels. The COBOL program sits on top of system and resource security; it does not replace them.
| Layer | Description |
|---|---|
| System sign-on | User logs on to TSO, CICS, etc.; password checked by system/RACF |
| Resource protection | RACF (or equivalent) controls access to datasets, programs, transactions |
| Application checks | COBOL program may check user ID or permissions for business rules |
RACF (Resource Access Control Facility) is IBM's mainframe security product. It manages user IDs, passwords, and who can access which resources (datasets, programs, CICS transactions). The actual sign-on—entering user ID and password—is handled by the system (TSO, CICS, etc.); RACF validates the password and assigns the user identity. Your COBOL program does not usually do the sign-on itself; it runs after the user is already authenticated.
How you get the current user ID depends on the environment. In CICS, the user ID might be in the EIB (Execute Interface Block) or available through a security or user interface. In batch, the job runs under a user ID that might be available via a runtime or API. Your installation may provide a standard way (e.g. a copybook or CALL) to retrieve the user ID. Once you have it, you can store it in a working-storage variable and use it for logging or authorization checks.
12345678910111213*> Conceptual: get user ID from environment (syntax varies by system) *> In CICS you might use EIBTRNID or a security API *> In batch you might get it from a runtime or JCL symbol MOVE SPACES TO WS-USER-ID *> ... call or move from system area to WS-USER-ID ... *> Application-level check: only allow certain users for this function IF WS-USER-ID = 'ADMIN' OR WS-USER-ID = 'SUPER' PERFORM ALLOW-SENSITIVE-ACTION ELSE DISPLAY "Not authorized for this function." PERFORM LOG-UNAUTHORIZED-ATTEMPT END-IF
Even when the system has authenticated the user, your program may need to enforce business rules. For example: only certain user IDs may run a sensitive report, or you may keep an internal table of user IDs and allowed functions. You obtain the user ID (from the environment or communication area), compare it to your rules, and branch accordingly. Avoid storing or comparing passwords in the application; leave password verification to the system and RACF.
WS-USER-ID PIC X(8)) and move the user ID into it at program start.1. Who usually performs the initial sign-on and password check on the mainframe?
2. What is RACF used for in a mainframe environment?