Process and activity user IDs

You can use either the RUN or LINK command to activate a process or activity. The command that you use affects the user ID under which the process or activity runs.

User IDs for activities activated by RUN commands

When a process or activity is activated by a RUN command, it might run using a different user ID than the transaction that issues the RUN.

The application programmer can specify under whose authority a process or activity is to run, when it is activated by a RUN command, by coding the user ID option of the DEFINE PROCESS or DEFINE ACTIVITY command. If the user ID option is omitted, its value defaults to the user ID of the transaction that issues the DEFINE command.

The user ID obtained from the DEFINE command is referred to as the defined_process_userid or the defined_activity_userid. In the remainder of this section, we use the term “defined user ID” to mean either a defined process user ID or a defined activity user ID.

If the user ID option of DEFINE PROCESS or ACTIVITY is specified, CICS® performs (at define time) a surrogate security check to verify that the user ID of the transaction that issued the DEFINE command is authorized to use the defined user ID. The RACF® profile used for surrogate checking of a BTS process or activity is userid.DFHSTART in the SURROGAT class.

The following example RACF commands authorize a user as a surrogate user of a defined process user ID and of a defined activity user ID:

RDEFINE SURROGAT defined_process_userid.DFHSTART UACC(NONE)
          OWNER(defined_process_userid)
 
PERMIT defined_process_userid.DFHSTART CLASS(SURROGAT)
          ID(define_process_command_userid) ACCESS(READ)
 
RDEFINE SURROGAT defined_activity_userid.DFHSTART UACC(NONE)
          OWNER(defined_activity_userid)
 
PERMIT defined_activity_userid.DFHSTART CLASS(SURROGAT)
          ID(define_activity_command_userid) ACCESS(READ)
 

User IDs for activities activated by LINK commands

When a process or activity is activated by a LINK command, it runs under the user ID of the transaction that issues the LINK.

Resource-level security checking in a process or activity is based on the user ID under whose authority the process or activity runs, that is, the defined user ID or the user ID of the transaction that issues the LINK command. This user ID must have UPDATE access to the CICS file that corresponds to the process type.