T 5.119 Use of other IDs in z/OS systems

The surrogat authorisation in the z/OS security system, RACF, enables user A to run a batch job using a different user's ID, user B, without user A needing to know user B's password. All security checks are performed for user B's ID and the log and SMF data record user B as the user running the commands.

There is a risk that the surrogat authorisation could be misused if the necessary security precautions are not taken on granting and monitoring this authorisation:

• Users can, in certain circumstances, run unauthorised actions that they are not allowed to run with their own ID.
• Users can, in certain circumstances, make it appear that another user is responsible for their own (unauthorised) actions.