Surrogate user checking for EXCI

EXCI client jobs are subject to surrogate user checking (see Surrogate security). You must authorize the batch region's user ID as a surrogate of the user ID specified on all DPL_Request calls. This configuration means that the batch region's user ID must have READ access to a profile named execution-userid.DFHEXCI in the RACF SURROGAT general resource class (where execution-userid is the user ID that is specified on the DPL call).

For example, the following commands define a surrogate profile for a DPL userid, and grant READ access to the EXCI batch region:

RDEFINE  SURROGAT execution_userid.DFHEXCI UACC(NONE) 
PERMIT execution-userid.DFHEXCI CLASS(SURROGAT) ID(batch_region_userid) ACCESS(READ)

If no user ID is specified on the DPL_Request call, no surrogate user check is performed because the user ID on the DPL_Request call defaults to the batch region's user ID. For this bypass of surrogate user checking to be successful, ensure that you have correctly omitted the user ID on the DPL_Request call. See the example of EXCI CALLs with null parameters in The EXCI CALL interface for the correct way to specify a null pointer when you omit an EXCI call parameter.

If the batch region user ID and the CICS® region user ID are different, link security checking is enforced. With link security, a nonauthenticated user ID passed on a DPL_Request call cannot acquire more authority than that allowed by the link security check. It can acquire only the same, or less, authority than that allowed by the link security check.

For more information about CICS security, see CICS TS security.