RACF definitions for surrogate user checking

To enable CICS® surrogate user checking, you define the appropriate SURROGAT class profiles for CICS in the RACF® database and you authorize CICS surrogate users to the appropriate SURROGAT profiles.

You can define three forms of surrogate class profile names for CICS surrogate user checking. The names of these SURROGAT class profiles must conform to the following naming conventions:
userid.DFHSTART
userid represents one of the following:
  • The user ID under which a started transaction is to run
  • The user ID associated with a CICS business transaction services (BTS) process or activity that is started by a RUN command
userid.DFHINSTL
userid represents one of the following:
  • The PLT user ID specified on the PLTPIUSR system initialization parameter
  • The user ID associated with a trigger-level transaction
  • The CICS default user ID specified on the DFLTUSER system initialization parameter
  • The user ID specified for preset terminal security
  • The user ID specified on the AUTHID or COMAUTHID parameter of a Db2® resource definition
  • The user ID supplied on the USERID attribute of URIMAP resource definitions
  • The user ID supplied on the transaction user ID of an event processing transaction start adapter.

If the user ID that is associated with a task issuing either a CREATE IPCONN or CREATE CONNECTION command is not an authorized surrogate of the user specified in the SECURITYNAME option, a NOTAUTH error is returned.

userid.DFHQUERY
userid represents the user ID of the user whose access to a resource is to be queried.

You can also define a form of surrogate class profile for external CICS interface (EXCI) security checking:

userid.DFHEXCI
userid represents the user specified on the DPL call in the client batch region.

To authorize a surrogate to this EXCI profile, grant the user ID of the EXCI batch region READ access.

Surrogate security checks in an EXCI batch region are independent of security definitions in the target CICS region. If SURROGCHK is specified in the EXCI options table (DFHXCOPT), surrogate security checks are performed in the EXCI client program address space regardless of the CICS security settings.

To authorize a surrogate user to one of these profiles, you must grant READ access.

You do not need to define a user as its own surrogate. In this situation, CICS bypasses the surrogate check.

The z/OS Security Server RACF Security Administrator's Guide gives more information about defining surrogate resource classes. Refer to it if you need to use RACF facilities such as generic resource classes or RACFVARS profiles to help make many RACF definitions.