The CICS web service infrastructure maps the authenticated identity (from the API gateway header or client certificate) to a RACF user ID. The COBOL program runs under this mapped user ID, inheriting the user's RACF permissions for DB2, VSAM, and other resources.