Top Secret

SURROGAT(acid.SUBMIT) gives one the authority to submit batch jobs with USER=acid on the job card without having to know the password.  So does ACID(acid).  So why does TSS have this extra class?  I figure there must be some difference between them.  Anyone know?

Bob,

SURROGAT resource class is not only used for cross authorization checks, but it is also used in CICS, Lotus Domino Go Webserver, OPC/ESA, JES and Websphere for different purposes aside from cross authorization authority.

Couldnt find anything off hand that discusses the difference between PERMITing a user to an acid vs using SURROGAT checking in JES. This will need further research. Please open a ticket support if you would us to pursue it further.

Regards,

Joseph Porto - CA Level 1 Support

Hi Bob,

  SURROGAT is an IBM defined class to z/OS that is used by Top Secret, RACF, and ACF2.  It is not special to Top Secret.

Joseph Porto,

CA-TSS manual only shows SURROGAT usage with:

TSS ADDTO(acid) SURROGAT(acidname.DFHINSTAL)
Prefix length
Two to 17 characters
When used with TSS PERMIT/REVOKE, this resource class has the following format:
TSS PERMIT(acid) SURROGAT(acidname.DFHINSTAL)

Does it work also with SURROGAT(acid.SUBMIT) ?     If so, would the following work and allow removal of NOSUBCHK from CICS regions?    Permit SURROGAT(*.SUBMIT)ACC(READ)ACTION(AUDIT) to the CICS region and then PERMIT SURROGAT(MSCA.SUBMIT)ACC(NONE) ? 

Steve,

I ran some tests and see no indication that resource ID "{accessor-id-8}.SUBMIT" in resource class ID "SURROGAT" is being checked.

John P. Baker