How can you allow a user to issue the OMVS SU command to switch to a specific user who is a SUPERUSER (UID(0)) without giving the user access to BPX.SUPERUSER FACILITY resource which allows a user to SU to any SUPERUSER?

Document ID : KB000026785
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

How can you allow a user to issue the OMVS SU command to switch to a specific user who is a SUPERUSER (UID(0)) without giving the user access to BPX.SUPERUSER FACILITY resource which allows a user to SU to any SUPERUSER?

Answer: 

How can you allow a user to issue the OMVS SU command to switch to a specific user who is a SUPERUSER (UID(0)) without giving the user access to BPX.SUPERUSER FACILITY resource which allows a user to SU to any SUPERUSER?

You can give a user read access to the SURROGAT class resource BPX.SRV.uuuuuuuu (where uuuuuuuu is the MVS userid associated with the target UID).

Without writing a rule you will need to enter the target user's password when prompted. If a user ID is specified, and you have read access to the SURROGAT class resource for the target user, you can use the -s option, or press Enter at the password.

The SURROGAT resource class will allow a user to SU to another specific logonid.

For example to allow user USER102 to do a switch to userid USER02 the following can be done.

  1. Code the SURROGAT rule:

    $KEY(BPX.SRV.USER02) TYPE(SUR)
    UID(USER102) ALLOW SERVICE(READ)

    (note: this sample rule assumes you have not modified the clasmap for the surrogate resource)

  2. Logon with USER102.

  3. From OMVS issue command
    su -s USER02

    User102 will now have temporarily switched to USER02's UID

Sample ACFRPTRV report showing the validation if USER102 has TRACE on their LOGONID.

REQUESTED RESOURCE                                  REC   LOOKUP KEY 
UID                        SOURCE    CPU   MODULE   DISP      DSP-MOD   KEY-MOD   SERV 
     DATE    TIME  JNAME   LID         NAME                     PRE RMC INT PST FIN 
MLS      USER-SECLABEL  RSRC-SECLABEL MODE   SRC      RRC        RSN 
RSUR-BPX.SRV.USER02                                 TRC   RSUR-BPX.SRV.USER02 
AX4*SUSER102OMVSGRP        A99LO999   XE99  ACF9CAUT RULE       -         DIRECTRY READ 
08.004 01/04 14.38    USER102 USER102    '''CHAEL                0   0   0    0   0 
SAF RESOURCE CLASS SURROGAT 
RESOURCE NAME: BPX.SRV.USER02