To control user impersonation in the machine.config file, you enable or disable the following impersonation settings:
You enable or disable these options in conjunction with each other to set the configuration that you want. The four combinations available are detailed below:
Sessions always run under the default user account. EXEC CICS SIGNON verifies user credentials, but does not change the session's impersonation identity.
This setting is useful when you want to run all application code under a reduced-privilege account and stitching identities it is not necessary.
Impersonation is fully enabled, and sessions run under the default user account. EXEC CICS SIGNON changes the user account to the logged on user account.
Sessions run under the user account that started the session. EXEC CICS SIGNON changes the user account to the logged on user account.
This configuration is useful for testing user-based security or if only some applications need to run under a special account.