This article provides an example of using SURROGAT class rules to secure an ACF2 logonid with the RESTRICT attribute.

Before ACF2 R16 PTF LU05334, control over a restrict logonid could only be controlled by the options defined in the logonid record. These options included SUBAUTH, PROGRAM and SOURCE.

With this enhancement PTF, ACF2 will check access for the submitter of a job that is using a RESTRICT logonid if the RESTRICT logonid has access to resource RESTRICT.CHECK.SURROGAT in the CASECAUT class.

Steps to enable SURROGAT checking for RESTRICT logonids

1. Allow the RESTRICT logonid access to RESTRICT.CHECK.SURROGAT in the CASECAUT class. An example resource rule to allow a SURROGAT check for access to the RESTRICT lid would look like this:                                                 
   
   $KEY(RESTRICT) TYPE(AUT)                                               
    CHECK.SURROGAT UID(uid_of_restrict_lid) ALLOW 
   
   
2. Allow the submitting logonid access to restrictlid.SUBMIT in the SURROGAT class (where restrictlid is replaced with the RESTRICT logonid). An example rule to allow the submitter access to the RESTRICT logonid would look like this:
   
   $KEY(restrictlid) TYPE(SUR)                     
    SUBMIT UID(uid_of_submitter_lid) ALLOW                         
   
   

Note that the all rules in class SURROGAT and the RESTRICT.CHECK.SURROGAT rule in class CASECAUT do not allow access just because the logonid being checked has SECURITY or NON-CNCL. ACF2 will still check the RESTRICT logonid's PROGRAM and SUBAUTH, if present, to make sure they are valid. For more information on using logonid fields to add further restrictions to RESTRICT logonid usage, please see Using PGM, SUBAUTH and SOURCE with ACF2 RESTRICT logonids 

If the submitting logonid does not have access via SURROGAT rules, the following error will be seen:                    
                                                                        
ACF01059 submitter_lid failed SURROGAT auth for RESTRICT logonid restrict_lid    

Example

Consider the following two logonids: 

The logonid RESTLID has only RESTRICT and JOB privileges and no password:

RESTLID                           RESTLID  RESTRICT LOGONID                  
                     COMPANY() DEPT() IDNUM() LEVEL() LOCATION() OLDLID()    
                     OWNER() OWNTYPE() POSITION() PROJECT() SITE()           
PRIVILEGES           JOB RESTRICT                                            
ACCESS               ACC-CNT(7) ACC-DATE(09/01/22) ACC-SRCE(A9999999)        
                     ACC-TIME(09:44)                                         
PASSWORD             KERB-VIO(0) KERBCURV() PSWA1TOD(00/00/00-00:00)         
                     PSWA2TOD(00/00/00-00:00) PSWD-DAT(00/00/00) PSWD-INV(0)
                     PSWD-TOD(00/00/00-00:00) PSWD-VIO(0) PSWDCVIO(0)        
                     PWP-DATE(00/00/00) PWP-VIO(0)                           
TSO                  DFT-PFX(RESTLID)                                        
STATISTICS           CRE-TOD(09/01/22-09:26) SEC-VIO(0)                      
                     UPD-TOD(09/01/22-09:44)                                 
RESTRICTIONS         GROUP(DFTGRP) PREFIX(RESTLID)  

The logonid USER001 has only TSO and JOB privileges and a password:

USER001                           USER001  USER                            
                     COMPANY(0) DEPT() IDNUM(DAS1) LEVEL(1) LOCATION(AAAA)    
                     OLDLID() OWNER() OWNTYPE() POSITION() PROJECT(9) SITE(2)
CANCEL/SUSPEND       CSDATE(09/13/21) CSWHO(USER001) MON-LOG PP-TRC PP-TRCV   
                     TRACE                                                    
PRIVILEGES           JOB TSO
ACCESS               ACC-CNT(879) ACC-DATE(09/01/22) ACC-SRCE(A99999999)       
                     ACC-TIME(09:29)                                          
PASSWORD             KERB-VIO(0) KERBCURV() LIDZMAX MAXDAYS(50)               
                     PSWA1TOD(08/19/22-12:26) PSWA2TOD(00/00/00-00:00)        
                     PSWD-DAT(00/00/00) PSWD-INV(0) PSWD-SRC(A9999999)        
                     PSWD-TIM(09:29) PSWD-TOD(08/19/22-12:26) PSWD-VIO(0)     
                     PSWDCVIO(103) PWP-DATE(00/00/00) PWP-VIO(0)              
TSO                  ALLCMDS ATTR2(9999) DFT-PFX(USER001) DFT-SOUT(A)         
                     DFT-SUBM(A) INTERCOM JCL LGN-ACCT LGN-PROC LGN-SIZE      
                     LINE(ATTN) MAIL MODE MSGID NOTICES PROMPT     

To secure the use of the RESTLID with RESTRICT so no logonids can submit a job with USER=RESTLID the following rule is coded:

$KEY(RESTRICT) TYPE(AUT)                               
 CHECK.SURROGAT UID(*************RESTLID) ALLOW 

If logonid USER001 logs on to TSO and submits the following job:

//ACFBATCH JOB 118100000,CLASS=A,NOTIFY=USER001,MSGCLASS=X, 
//   USER=RESTLID                                           
//ACFBATCH EXEC PGM=IEFBR14                                 
//SYSPRINT DD SYSOUT=*                                      
/*                                                          

The job will fail with:

//ACFBATCH JOB 9999999999CLASS=A,NOTIFY=USER001,MSGCLASS=X,             JOB06212
//   USER=RESTLID                                                       00012141
//* ACF01059 USER001 failed SURROGAT auth for RESTRICT logonid RESTLID SYSXXXX  
//ACFBATCH EXEC PGM=IEFBR14                                             00013041
$HASP106 JOB DELETED BY JES2 OR CANCELLED BY OPERATOR BEFORE EXECUTION          

To allow the RESTLID with RESTRICT to be used by USER001 the following SURROGAT rule

$KEY(RESTLID) TYPE(SUR)                     
 SUBMIT UID(*************USER001) ALLOW     

After the above SURROGAT rule is added, logonid USER001 can submit a job with USER=RESTLID:

09.58.24 JOB06215 ---- THURSDAY,  01 SEP 2022 ----                              
09.58.24 JOB06215  $HASP373 ACFBATCH STARTED - INIT 1    - CLASS A        - SYS 
09.58.24 JOB06215  ACF9CCCD USERID RESTLID  IS ASSIGNED TO THIS JOB - ACFBATCH  
09.58.24 JOB06215  IEF403I ACFBATCH - STARTED - TIME=09.58.24                   
09.58.24 JOB06215  IEF404I ACFBATCH - ENDED - TIME=09.58.24                     
09.58.24 JOB06215  $HASP395 ACFBATCH ENDED - RC=0000               

In summary, to secure the use of a logonid with RESTRICT and prevent a security exposure with or without the use of logonid PROGRAM, SUBAUTH or SOURCE restrictions, the R(AUT) RESTRICT.CHECK.SURROGAT rule can be used to enforce the userid.SUBMIT check for the resource class SURROGAT.