When doing an OMVS SU command what ACF2 security is checked? How can end users be prevented from doing the SU command?

When the OMVS SU command is issued without any parameters a RACROUTE FACILITY resource class validation is done for the resource BPX.SUPERUSER.

When the OMVS SU command is issued with a username parameter a prompt is issued for username's password.

The superuser command allows users under OMVS switch to the identity of another user. If no ID is specified, the user switches to a superuser, UID(0). You might want to use this facility as an alternative to assigning a user a UID of zero. The ability to switch to superuser status is controlled through the FACILITY class resource BPX.SUPERUSER. To control which users have the ability to use the SU command, add rule entries to the BPX FACILITY resources rule, similar to this one, as appropriate:

 $KEY(BPX) TYPE(FAC) 
 SUPERUSER UID(user_uid) ALLOW 

If the OMVS SU command includes an ID, for example user02 issues "su -s user01" there is a validation issued for BPX.SRV.USER01 in the SURROGAT resource class for example:

 $KEY(BPX) TYPE(SUR) 
 SRV.USER01 UID(user02_uid) ALLOW 

If the user being validated does not have access to the resource, they are prompted for the password for the "switch to" userid.

 $ su user01                             
 FSUM5019 Enter the password for user01: 

If a valid password is issued the ownership of the session is changed to user01.
If a valida password is not issued an error message is received and the SU fails.