LOGONIDs with the SECURITY or NON-CNCL privilege get RSUR-logonid.SUBMIT resource violations for the SURROGAT resource class. The user also gets the message ACF01007 A PASSWORD IS REQUIRED FOR LOGONID xxxxxxxx.
CA ACF2 has special code in place for SURROGAT calls.
Resource class SURROGAT validations check to see if one user has the authority to use another user's LOGONID without knowing the password. SECURITY or NON-CNCL privileges do not allow a user to use someone else's LOGONID without knowing the password - there must be a SURROGAT resource rule allowing access.