I have seen SURROGAT used effectively at sites for a shared group userid for performing maintenance work.
The group ID has a level of access that you would not want to give to every member of the team - an extra "finger-check" if you will as "s" is very close to "d" on the keyboard.... Typically this group ID does not have a TSO segment and its function is also covered with some "are you sure" logic as well. Rob Scott Rocket Software, Inc 275 Grove Street Newton, MA 02466 617-614-2305 [EMAIL PROTECTED] http://www.rs.com/portfolio/mxi_g2 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Itschak Mugzach Sent: 12 February 2007 09:24 To: [email protected] Subject: Re: RACF Surrogate Authority If XYZ need the authority, why shouldn't he get them directly? This way you will know who is using the resource, not a generic user that you have to investigate who used his access authorities. It is exactly like putting ABC's password on a paper near the keyboard or terminal. I wouldn't give surrogate to users but applications (like a job scheduler). Itschak -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Chase, John Sent: Monday, February 12, 2007 4:02 PM To: [email protected] Subject: Re: RACF Surrogate Authority > -----Original Message----- > From: IBM Mainframe Discussion List On Behalf Of R.S. > > Jacky Bright wrote: > > Hi, > > > > I have 2 TSO Users (ABC and XYZ) > > > > ABC has high level access privileges. > > > > XYZ do not have any such access. > > > > I am trying to submit 1 job from XYZ userid which require access > > privileges from ABC. > > > > In case I define XYZ user as surrogate user for ABC then is that going > > to work. > > > > what implications it will have at system side ? security issue ? > > It depends. > However surrogate means, XYZ can do everything (*) that ABC can. More precisely, "surrogate" in RACF context means that XYZ can submit work using ABC as the user ID. IOW, XYZ must "tell" the system that he is pretending to be ABC. -jc- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
