Controlling userid propagation

Jobs submitted from CICS® to the JES internal reader without the USER operand being specified on the JOB statement run under the CICS region user ID. These jobs have the access authorities of the CICS region itself, and so could potentially expose other data sets in the MVS™ system.

You (or the RACF® security administrator) can prevent the CICS region user ID from being propagated to these batch jobs by defining a profile in the PROPCNTL class where the profile name is the CICS regions user ID. For example, if the CICS region userID is CICS1, define a PROPCNTL profile named CICS1:
RDEFINE  PROPCNTL  CICS1
The PROPCNTL class must be activated using RACLIST for this protection to be in effect:
SETROPTS CLASSACT(PROPCNTL) RACLIST(PROPCNTL)
If the PROPCNTL class is already active, refresh the in-storage PROPCNTL profiles with the SETROPTS command:
SETROPTS RACLIST(PROPCNTL) REFRESH

You (or the RACF security administrator) must issue the SETROPTS command to refresh these profiles. Issuing the CICS PERFORM SECURITY REBUILD command does not affect the PROPCNTL class.