Or if you don't want the users to have surrogate. Create a STC for the CICS that then submits the CICS job. Then only the STC needs to have surrogate access to the CICS userid, or if the same id, just let it inherit it. The users only need authority to issue the S cicsname.
Richard McIntosh Oracle/Cerner -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Shaffer, Terri Sent: Tuesday, September 20, 2022 6:53 PM To: [email protected] Subject: Re: Racf userid - CICS started as a job Thanks, that's probably the simplest way.. Awesome Ms Terri E Shaffer Senior Systems Engineer, z/OS Support: ACIWorldwide - Telecommuter H(412-766-2697) C(412-519-2592) [email protected] -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Lennie Dymoke-Bradshaw Sent: Tuesday, September 20, 2022 7:42 PM To: [email protected] Subject: Re: Racf userid - CICS started as a job EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe. Why not code the userid on the Jobcard and then give the users who submit the job READ access to the SURROGAT profile for the userid? https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ibm.com%2Fdocs%2Fen%2Fzos%2F2.5.0%3Ftopic%3Dsubmitted-allowing-surrogate-job-submission&data=05%7C01%7CRICHARD.MCINTOSH%40CERNER.COM%7C97940b24b7ce466a230708da9b634f50%7Cfbc493a80d244454a815f4ca58e8c09d%7C0%7C0%7C637993148095173213%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=imgm42x%2BHmQIl6w9PcHevy0JiUyxxPgHA7mtwCBb034%3D&reserved=0 Lennie Dymoke-Bradshaw https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Frsclweb.com%2F&data=05%7C01%7CRICHARD.MCINTOSH%40CERNER.COM%7C97940b24b7ce466a230708da9b634f50%7Cfbc493a80d244454a815f4ca58e8c09d%7C0%7C0%7C637993148095173213%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dTctyfJ8WIw2Fi0vCSsB13x32RHgz0yeQ3z00voJS3E%3D&reserved=0 'Dance like no one is watching. Encrypt like everyone is.' -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Shaffer, Terri Sent: 21 September 2022 00:27 To: [email protected] Subject: Racf userid - CICS started as a job Hi, I am asking this in the main forum hopefully it will be a simple answer, that I just don't see. So I have lots of experience setting up RACF STARTED class with STDATA so that started tasks run under a certain userid. Here we run our CICS's as jobs, since we are a development company, the programmers, can start/stop their CICS's when they need to. We are doing WEB pipeline development and I setup the directory structure for the CICSDFLT userid and the group is everyone else. If a batch job submits/starts CICS the CICS userid is picked up and everything works great. If the user needs to recycle the region its picking up their userid and then the CICS gets access issues. Is there a way to force it to use the DFLTUSER for batch jobs like I can setup for started tasks? I think I could use user=DFLTUSER on the jobcard, but then I would have to setup those userids as RESTRICTED, because no password. There is a small security risk with this, but these userids don't have TSO Segments, so its a limited exposure. Is there any other way to set this up? Besides as STC's. Ms Terri E Shaffer Senior Systems Engineer, z/OS Support: ACIWorldwide - Telecommuter H(412-766-2697) C(412-519-2592) [email protected] ________________________________ [https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgo.aciworldwide.com%2Frs%2F030-ROK-804%2Fimages%2Faci-footer.jpg&data=05%7C01%7CRICHARD.MCINTOSH%40CERNER.COM%7C97940b24b7ce466a230708da9b634f50%7Cfbc493a80d244454a815f4ca58e8c09d%7C0%7C0%7C637993148095173213%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=M4ch6xkDUEhvN78VHTJ6dIdPjtd4O4QK0NRBzDAo%2BWc%3D&reserved=0] <https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.aciworldwide.com%2F&data=05%7C01%7CRICHARD.MCINTOSH%40CERNER.COM%7C97940b24b7ce466a230708da9b634f50%7Cfbc493a80d244454a815f4ca58e8c09d%7C0%7C0%7C637993148095173213%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=S9pz3VH65fB3tBH7oDqohHHr8%2F6BNmwk38LKe8TTkxw%3D&reserved=0> This email message and any attachments may contain confidential, proprietary or non-public information. The information is intended solely for the designated recipient(s). If an addressing or transmission error has misdirected this email, please notify the sender immediately and destroy this email. Any review, dissemination, use or reliance upon this information by unintended recipients is prohibited. Any opinions expressed in this email are those of the author personally. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ________________________________ [https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgo.aciworldwide.com%2Frs%2F030-ROK-804%2Fimages%2Faci-footer.jpg&data=05%7C01%7CRICHARD.MCINTOSH%40CERNER.COM%7C97940b24b7ce466a230708da9b634f50%7Cfbc493a80d244454a815f4ca58e8c09d%7C0%7C0%7C637993148095173213%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=M4ch6xkDUEhvN78VHTJ6dIdPjtd4O4QK0NRBzDAo%2BWc%3D&reserved=0] <https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.aciworldwide.com%2F&data=05%7C01%7CRICHARD.MCINTOSH%40CERNER.COM%7C97940b24b7ce466a230708da9b634f50%7Cfbc493a80d244454a815f4ca58e8c09d%7C0%7C0%7C637993148095173213%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=S9pz3VH65fB3tBH7oDqohHHr8%2F6BNmwk38LKe8TTkxw%3D&reserved=0> This email message and any attachments may contain confidential, proprietary or non-public information. The information is intended solely for the designated recipient(s). If an addressing or transmission error has misdirected this email, please notify the sender immediately and destroy this email. Any review, dissemination, use or reliance upon this information by unintended recipients is prohibited. Any opinions expressed in this email are those of the author personally. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
