How are users granted surrogate authority to allow USER=xxxx on batch job cards?

To be able submit a job using another user acid via USER= on the job card, the user must be authorized to that acid, which can be done in 2 ways.

1. Permit the user to the other acid.
TSS PERMIT(USERA) ACID(USERB).
USERA is now allowed to submit jobs under USERBs acid.

ACID Keyword

2. Give the user NOSUBCHK attribute.
TSS ADD(USERA) NOSUBCHK
This allows USERA to submit a batch job using anyone's acid.
NOSUBCHK is frowned upon by auditors and should be given out sparingly.

NOSUBCHK Keyword

This type of security is called Cross Submit Authorization Checking.

To determine what users have SURROGAT to a particular acid issues :

TSS WHOHAS ACID(acidname)

TSS WHOHAS NOSUBCHK