CICS® performs surrogate user checks when you use a START command to start a transaction that is not associated with a terminal.
CICS requires that all the userids associated with the transaction issuing the START are surrogates of the started-userid. CICS also assumes that any userid is always a surrogate of itself. So userids that are the same as started-userid are regarded as surrogates already, and the external security manager is not called for them.
A transaction can be associated with userids that are different from starting-userid when it is using CICS intercommunication, and when it is using EDF in the two-terminal mode.