How are users granted surrogate authority to allow USER=xxxx on batch job cards?

Document ID : KB000013409
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How are users granted surrogate authority to allow USER=xxxx on batch job cards?

Answer:

To be able submit a job using another user acid via USER= on the job card, the user must be authorized to that acid, which can be done in 2 ways.
1. Permit the user to the other acid.
TSS PERMIT(USERA) ACID(USERB).
USERA is now allowed to submit jobs under USERBs acid.

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/keywords/acid-keywordauthorize-acids

2. Give the user NOSUBCHK attribute.
TSS ADD(USERA) NOSUBCHK
This allows USERA to submit a batch job using anyone's acid.
NOSUBCHK is frowned upon by auditors and should be given out sparingly.

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/keywords/nosubchk-keywordbypass-alternate-security-checking

This type of security is called Cross Submit Authorization Checking.