The Sybase TCP/IP listener issues a CICS VERIFY PASSWORD command to validate the user ID and password passed by the client. Then, the listener issues the START TRANSACTION command to start a surrogate transaction, which uses the CICS INQUIRE command to validate the user ID against the RPC request and start the transaction.
The user ID used by the Sybase listener must have sufficient authorization to execute the VERIFY and START TRANSACTION commands. See the appropriate IBM documentation on RACF security for more information.