I want to be able to setup a LOGONID to be used for batch jobs. I want the LOGONID to have a password but I want several users to be able to submit jobs without knowing the password - how do I do this?

There are two options available:
Surrogate processing can be used to submit jobs that run under a different LOGONID than the submitter, without the need to know that user's password.
Setup a LOGONID with the RESTRICT privilege. A restricted LOGONID does not require a password for user.

Option 1

By creating a resource rule in the SURROGAT class, a user can be allowed to supply a USER= or //*LOGONID statement to the JCL without any corresponding password.

You can create a resource rule for class SURROGAT to allow the users access to the "userid.SUBMIT" resource.
Anyone that is not allowed access to the resource will not be allowed to submit the batch job without a password being specified.
In the following example user1, user2 and user3 are allowed to submit jobs with LOGONID BATCHID and everyone else will require a password.

$KEY(BATCHID.SUBMIT) TYPE(SUR)
UID(user1 UID string) ALLOW
UID(user2 UID string) ALLOW
UID(user3 UID string) ALLOW

Note: the TYPE(SUR), or whatever you have mapped to resource class SURROGAT, should be made resident with the GSO INFODIR record:

ACF
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RSUR) ADD
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(SUR)

Option 2
Create a LOGONID with the RESTRICT attribute along with PROGRAM, SUBAUTH and SOURCE restrictions to limit the use of the LOGONID. The LOGONID RESTRICT attribute and restrictions are described as follows (from the CA-ACF2 Administrator Guide):

RESTRICT | NORESTRICT
Specifies that a LOGONID is for production use only. A restricted LOGONID does not require a password for user verification. CA ACF2 logs all jobs submitted with RESTRICTED LOGONIDs, except for jobs submitted by those jobs.

SOURCE(sourceid)
Specifies the one- to eight-character logical or physical input source name or source group name from which a user must access the system.

SUBAUTH | NOSUBAUTH
Indicates that jobs that specify this LOGONID can be submitted only by APF-authorized programs.

PROGRAM(program)
Specifies a one- to eight-character program name or name mask. The specified program must be used to submit jobs for this LOGONID; if the LOGONID has SUBAUTH, this program must also be APF-authorized.

The following steps can be taken to setup the RESTRICT LOGONID to be used by multiple users.
Create/setup a unique submit program in an APF authorized library and limit access to the program or library to the specific users who will be using the LOGONID. This can be done with dataset access rules or SAF program protection(see technical document TEC436153).

Add the RESTRICT privilege along with the appropriate SOURCE, SUBAUTH and PROGRAM specifications to the LOGONID to be used.