Why do i need a BPX.SRV.userid profile with CA LDAP Server for RACF

Document ID : KB000072951
Last Modified Date : 21/03/2018
Show Technical Document Details
Question:
Install instructions for CA LDAP Server under RACF shows the following...
RDEFINE SURROGAT BPX.SRV.SVIAMMEP UACC(NONE) -                    
  OWNER(SECADMIN) DATA('Surrogat for CA LDAP') -                  
  AUDIT(ALL(READ))                                                
PERMIT BPX.SRV.SVIAMMEP CLASS(SURROGAT) ACCESS(READ) ID(LDAPUSER) 
SETROPTS GENERIC(SURROGAT) RACLIST(SURROGAT) REFRESH         

Why do i need to provide the BPX.SRV.userid profiel in the SURROGAT class?
Answer:
The SPAWN process is controlled by BPX.DAEMON in the FACILITY class. 
BPX.DAEMON controls all these functions... 
seteuid 
setuid 
setreuid 
pthread_security_np() 
auth_check_resource_np() 
_login() 
_spawn() with user ID change 
_passwd() 

The one that LDAP is processing is... 
_spawn() with user ID change 

If you have BPX.DAEMON access and you are UID(0) you will be able 
to issue the spawn with USERID change without needing BPX.SRV.userid in the SURROGAT class.. 
If you have BPX.DAEMON access and are NOT UID(0) you will also need access to BPX.SRV.userid in the SURROGAT class.