When a transaction is started by an EXEC CICS® START request that is issued from a remote system, the request is handled as a function-shipping request. Therefore, the security checks that are applied before the transaction is invoked are run against the RSL keys that are defined for that transaction. These security checks, in addition to the user ID that is established for the request, are done in accordance with the normal inbound security rules, as described in Link security and user security compared.
When the transaction is scheduled, it is handled as a local request; that is, no consideration is given to the security of the link. The TSL keys are checked only against the TSL keys that are defined for the user ID, and future accesses to resources are granted to the transaction as if it were a local transaction.
It is important to consider the security of remote EXEC CICS START requests when planning intersystem security for your region. In particular, check whether the RSL keys are at least as restrictive as are the TSL keys for your transactions. The only time when this consideration does not apply is when the user ID that is used for an incoming request can always be guaranteed to have no greater security than the security that is associated with the link for that request. For example, this condition applies when a region always uses link security with a link user ID specified.