For started transactions, CICS can require as many as three levels of surrogate user. (See Started transactions for details of the different surrogate users that can be required for a START command.)
For started transaction security at the first level, the userid of the transaction that issues the START command must be authorized as a surrogate for the userid specified on the START command.
EXEC CICS START TRANSID('TBAK') USERID('USERID1')
USERID2 must be defined to RACF as a surrogate of USERID1 (with READ
authority). This is illustrated in the following RACF commands:
RDEFINE SURROGAT USERID1.DFHSTART UACC(NONE) OWNER(USERID1)
PERMIT USERID1.DFHSTART CLASS(SURROGAT) ID(USERID2) ACCESS(READ)
For more information about surrogate security, see Querying a user's surrogate authority.