Surrogate user checking

A surrogate user check is performed to verify that the batch region's user ID is authorized to issue DPL calls for another user (that is, is authorized as a surrogate of the user ID specified on the DPL_Request call).

EXCI client jobs are subject to surrogate user checking. You must authorize the batch region's user ID as a surrogate of the user ID specified on all DPL_Request calls. This means the batch region's user ID must have READ access to a profile named execution-userid.DFHEXCI in the SURROGAT general resource class (where execution-userid is the user ID specified on the DPL call). For example, the following commands define a surrogate profile for a DPL user ID, and grant READ access to the EXCI batch region:

RDEFINE  SURROGAT execution_userid.DFHEXCI UACC(NONE) 
PERMIT execution_userid.DFHEXCI CLASS(SURROGAT) ID(batch_region_userid) ACCESS(READ)

If no user ID is specified on the DPL_Request call, no surrogate user check is performed because the user ID on the DPL_Request call defaults to the batch region's user ID. For this bypass of surrogate user checking to be successful, ensure that you have correctly omitted the user ID on the DPL_Request call. See the example of EXCI CALLs with null parameters in The EXCI CALL interface for the correct way to specify a null pointer when omitting an EXCI call parameter.

If the batch region's user ID and the CICS® region user ID are different, link security checking is enforced. With link security, a non-authenticated user ID passed on a DPL_Request call cannot acquire more authority than that allowed by the link security check. It can acquire only the same, or less, authority than that allowed by the link security check.

For more information about CICS security, see Securing.