A surrogate user check is performed to verify that the batch region's user ID is authorized to issue DPL calls for another user (that is, is authorized as a surrogate of the user ID specified on the DPL_Request call).
EXCI client jobs are subject to surrogate user checking if SURROGCHK=YES (the default) is specified in the EXCI options table, DFHXCOPT. If you specify SURROGCHK=YES (or allow it to default) authorize the batch region's user ID as a surrogate of the user ID specified on all DPL_Request calls. This means the batch region's user ID must have READ access to a profile named userid.DFHEXCI in the SURROGAT general resource class (whereuserid is the user ID specified on the DPL call). For example, the following commands define a surrogate profile for a DPL userid, and grant READ access to the EXCI batch region:
RDEFINE SURROGAT dpl_userid.DFHEXCI UACC(NONE) OWNER(DPL_userid)
PERMIT userid.DFHEXCI CLASS(SURROGAT) ID(batch_region_userid)
ACCESS(READ)
If surrogate user checking is enabled (SURROGCHK=YES), but no user ID is specified on the DPL_Request call, no surrogate user check is performed, because the user ID on the DPL_Request call defaults to the batch region's user ID. For this bypass of surrogate user checking to be successful, ensure that you have correctly omitted the user ID on the DPL_Request call. See Example of EXCI CALLs with null parameters for information about the correct way to specify a null pointer when omitting an EXCI call parameter.
If you don't want surrogate user security checking, specify SURROGCHK=NO in the DFHXCOPT options table (note that SURROGCHK=YES is the default).
Surrogate user checking is useful when the batch region's user ID is the same as the CICS® server region user ID, in which case the link security check (see Link security) is bypassed. In this case, a surrogate user check is recommended, because the user ID specified on the DPL_Request call is not an authenticated user ID (no password is passed).
If the batch region's user ID and the CICS region user ID are different, link security checking is enforced. With link security, a non-authenticated user ID passed on a DPL_Request call cannot acquire more authority than that allowed by the link security check. It can acquire only the same, or less, authority than that allowed by the link security check.
For more information about CICS security, see the CICS RACF Security Guide.