Situations where surrogate user checking applies
A surrogate user is one who has the authority to start work on behalf of another user. A surrogate user is authorized to act for that user without knowing that other user's password. To enable surrogate user checking, XUSER=YES must be specified as a system initialization parameter.
CICS® performs surrogate
user security checking in a number of situations, using the surrogate
user facility of an external security manager (ESM) such as RACF®. If surrogate user checking
is in force, it applies to the following items:
- The CICS default user
- PLT post-initialization processing
- Preset terminal security
- Started transactions
- The user ID associated with a CICS business transaction services (BTS) process or activity that is started by a RUN command
- The user ID associated with a transient data destination
- The user ID supplied as a parameter on an EXCI call
- The user ID supplied on the AUTHID and COMAUTHID attributes of the DB2CONN and DB2ENTRY resource definitions
- The user ID supplied on the USERID attribute of URIMAP resource definitions
- The user ID supplied on the transaction user ID of an event processing transaction start adapter.
- A CICSPlex® SM MAS agent started with the COLM transaction
- A CICSPlex SM local MAS agent started with the CORM transaction
- The user IDs involved in JCL job submissions to the JES internal reader
Note: When you use the CICSPlex SM
interface to install a resource definition that is subject to surrogate
user security, the surrogate user that is checked by CICS is the user ID that started the CICSPlex SM
agent in the region where the resource is installed.