To enable CICS® surrogate
user checking:
- Define the appropriate SURROGAT class profiles for CICS in the RACF® database.
- Authorize CICS surrogate users to the appropriate SURROGAT profiles.
There are two forms of surrogate class profile names that you can define
for CICS surrogate user checking. The names of these SURROGAT class profiles
must conform to the following naming conventions:
- userid.DFHSTART
- userid represents
one of the following:
- The userid under which a started transaction is to run
- The userid associated with a CICS business transaction services (BTS) process
or activity that is started by a RUN command
- userid.DFHINSTL
- userid represents
one of the following:
- The PLT userid specified on the PLTPIUSR system initialization parameter
- The userid associated with a trigger-level transaction
- The CICS default userid specified on the DFLTUSER system initialization
parameter
- The userid specified for preset terminal security
- The userid specified on the AUTHID or COMAUTHID parameter of a DB2® resource definition.
There is also a form of surrogate class profile that you can
define for external CICS interface (EXCI) security checking:
- userid.DFHEXCI
- userid represents
the user specified on the DPL call in the client batch region.
To authorize
a surrogate to this EXCI profile, grant the EXCI batch region's userid READ
access.
Note that surrogate security checks in an EXCI batch region
are independent of security definitions in the target CICS region. If SURROGCHK
is specified in the EXCI options table (DFHXCOPT), surrogate security checks
are performed in the EXCI client program's address space regardless of the
CICS security settings.
To authorize a surrogate user to one of these profiles, you must grant
READ access.
You do not need to define a user as that user's own surrogate. CICS bypasses
the surrogate check in this case.
The z/OS Security Server RACF Security Administrator's Guide gives
more information about defining surrogate resource classes. Refer to it if
you need to use RACF facilities such as generic resource classes or RACFVARS profiles to help with making many RACF definitions.