Surrogate security

A surrogate user has the authority to start work on behalf of another user (the execution user). The execution user is typically a functional user ID. A surrogate user is authorized to act for the execution user without authenticating as that user.

Recommendation: Always enable surrogate security. Without surrogate security, any user can run requests on behalf of any other. Transaction security can be used in conjunction with trusted applications to ensure that this is only used for authorized cases.

The XUSER system initialization parameter and the RACF® SURROGAT class control surrogate security. There are a number of types of surrogate authority, depending on what the surrogate user attempts to do on behalf of the execution user. CICS® issues an authorization request for every eligible situation (see Types of surrogate authority).

Figure 1 shows how surrogate security works for starting transactions.
Figure 1. Surrogate security
This diagram shows how surrogate security works for starting transactions. Details are explained in the following paragraphs.
  1. A task that runs transaction tranA under the user ID of surrogateUserid issues an EXEC CICS START command to run transaction tranB under the user ID of executionUserid.
  2. CICS calls RACF to check whether surrogateUserid has surrogate authority to start a transaction that runs under user ID executionUserid.
  3. RACF finds a resource profile in the RACF SURROGAT class that matches executionUserid.DFHSTART. See RACF classes and profiles for resources for more information about the RACF resource classes.
  4. RACF finds a group or groups permitted to use that profile and checks whether the surrogateUserid is in that group.
  5. RACF checks that the group has READ access to the executionUserid.DFHSTART profile, which gives it the required surrogate security access.
  6. RACF returns an OK response to CICS.
  7. CICS starts the transaction tranB under user ID executionUserid.

To query a user's surrogate authority, you can use the QUERY SECURITY command with the RESCLASS('SURROGAT') option. For information, see Application-specific security (QUERY SECURITY).

The currently active transaction profile is used for authorization checking. To understand this, see Refreshing profiles for SETROPTS RACLIST processing.

To set up surrogate security:
  • Set the XUSER system initialization parameter. Always have XUSER on.
  • Set up RACF profiles to specify which user is authorized to run as a surrogate.

Types of surrogate authority

A surrogate user ID is granted access to perform a specific type of request for an execution user ID by granting access to a profile in the RACF SURROGAT class. Table 1 gives the list of the profiles that apply to CICS and the actions that the surrogate user ID can do with the authority of the execution user ID, if given access to that profile. For information about the different user IDs in CICS, including resources that have user IDs, see How it works: Identification in CICS.
Table 1. Which profile controls what a surrogate user ID can do with authority of an execution user ID
Profile in RACF SURROGAT The surrogate user What the surrogate user can do
execution-userID.DFHSTART Task user ID Start a transaction running under the execution-userID. This applies to the API commands START, DEFINE PROCESS, and DEFINE ACTIVITY.
execution-userID.DFHINSTL At startup, the CICS region user ID, or the task user ID that issues a DEFINE, ALTER, or INSTALL command, or issue a SET command that changes the specific user ID. Install or change a resource that has the ability to perform function under the execution-userID. See How it works: Identification in CICS.
default-userID.DFHINSTL CICS region user ID Use the CICS default user ID. See Defining the default CICS user ID to RACF.
plt-userID.DFHINSTL CICS region user ID Allows the PLTPIUSR user ID to run PLT processing. See Surrogate security.
execution-userID.DFHEXCI The batch job's user ID Run an EXCI call in CICS by using the execution-userID.
execution-userID.DFHQUERY Task user ID Issue the QUERY SECURITY command on behalf of the execution-userID.
execution-userID.SUBMIT Task user ID Submit JCL to run a job under the execution-userID. See Security for submitting a JCL job to the internal reader.
6.3 beta execution-userID.DFHTERM The user ID that invokes EXEC CICS START TRANSID TERMID. Start a transaction to run under the execution-userID on a terminal occupied by that user ID.