An ECI_ERR_SECURITY_ERROR -27 can occur if a user ID is not authorized as a surrogate for the user ID specified on the ECI request.
An ECI_ERR_SECURITY_ERROR -27 security error is issued.
Surrogate checking has been enabled in the EXCI options table DFHXCOPT but the user ID under which the CICS Transaction Gateway is running is not authorized as a surrogate for the user ID specified on the ECI request. The SURROGCHK option in the DFHXCOPT table enables surrogate checking. The default is YES; see Customizing EXCI options. The method used by the CICS® Transaction Gateway to authenticate user ID and password, when AUTH_USERID_PASSWORD is set, changed with Version 5.0. Previously surrogate user checking was not performed even if the SURROGAT option was set in the DFHXCOPT options table on CICS. This change causes ECI requests to fail with a -27 security error if surrogate user checking is enabled and the user ID under which the CICS Transaction Gateway is running is not authorized as a surrogate for the user ID specified on the ECI request.
See the CICS Transaction Server for z/OS® CICS External Interfaces Guide and CICS Transaction Server for z/OS RACF® Security Guide for more information about surrogate user checking.