How can a user be allowed to issue the OMVS SU command to switch to a specific user who is a SUPERUSER (UID(0)) without giving the user access to BPX.SUPERUSER FACILITY resource which allows a user to SU to any SUPERUSER?

A user can be granted READ access to the SURROGAT class resource BPX.SRV.uuuuuuuu (where uuuuuuuu is the MVS userid associated with the target UID).

Without writing a rule you will need to enter the target user's password when prompted. If a user ID is specified and you have read access to the SURROGAT class resource for the target user, you can use the -s option, or press Enter at the password.

The SURROGAT resource class will allow a user to SU to another specific logonid.

For example to allow user USER102 to do a switch to userid USER02 the following can be done.

1. Code the SURROGAT rule:
   
   $KEY(BPX.SRV.USER02) TYPE(SUR)
   UID(USER102) ALLOW SERVICE(READ)
   
   (Note: this sample rule assumes you have not modified the CLASMAP for the SURROGAT resource class)
   
   
2. Logon with USER102.
   
   
3. From OMVS issue command
   su -s USER02
   
   User102 will now have temporarily switched to USER02's UID

Sample ACFRPTRV report showing the validation if USER102 has TRACE on their LOGONID.

REQUESTED RESOURCE                                  REC   LOOKUP KEY 
UID                        SOURCE    CPU   MODULE   DISP      DSP-MOD   KEY-MOD   SERV 
     DATE    TIME  JNAME   LID         NAME                     PRE RMC INT PST FIN 
MLS      USER-SECLABEL  RSRC-SECLABEL MODE   SRC      RRC        RSN 

RSUR-BPX.SRV.USER02                                 TRC   RSUR-BPX.SRV.USER02 
AX4*SUSER102OMVSGRP        12345678   ABCD  ACF9CAUT RULE       -         DIRECTRY READ 
08.004 01/04 14.38    USER102 USER102    JOHN DOE                0   0   0    0   0 
SAF RESOURCE CLASS SURROGAT 

RESOURCE NAME: BPX.SRV.USER02