I would like to allow our z/OS system to send jobs over to VM to process password changes and add and delete ID's, but I don't want to give individual batch machines security privileges. Is there a surrogate facility for VM:Batch?
Yes, VM:Batch sets up the workers as surrogate for the VM user that submits the VM:Batch job. So, it is possible that you could use an authorized VM user to submit VM:Batch jobs to do password and user management activities.
However, if the product you use to do directory management is VM:Secure, it does not check surrogate set up for VM:Secure command authorizations. It only checks for surrogate relationships during rule processing. To provide this function in this environment, you can give authorizations for the commands needed to a specific VM:Batch worker. You can then define a job class that only this worker can run and it will be the only class this worker can run. This job class can then be associated only with the authorized user in a limit file. The user will specify this class to run jobs requiring the authorizations which will cause VM:Batch to route the job to the authorized worker.
If you have workers configured to run CLASS * indicating all classes, you can prevent these jobs from running on other workers by defining a resource that is only specified with the authorized worker in the VM:Batch configuration file. The user would then need to specify the class as well as this resource when submitting one of these jobs to make sure it is sent to the authorized worker for processing.