I was testing doing a switch in USS to another user that was a Superuser.  I am being allowed.  I am prompted to enter the password but there is none since the logonid I am trying to switch to is a STC.  So just hitting enter allows me in.  How can I stop this?

list apache
APACHE       uid of apache server APACHE WEB SERVER
                  COMP(yyyy) CUST(xxx) DEPT(zzzz)
PRIVILEGES  STC 

 list testid1

TESTID1      uid of testid1 TEST1 LOGONID
                  COMP(yyyy) CUST(xxxx) DEPT(zzzz)

The test id was used to logon to USS:

$
$ whoami
TESTID1
$
$su APACHE
FSUM5019 Enter the password for APACHE                 <== then ENTER was hit
$
$whoami
APACHE

z/OS can make a resource request for a user to be a surrogate of another user.  That is where the FSUM5019 comes into play.  

Adding TRACE on a logonid will help determine what access was allowed.  

TSO ACF
SET LID
CHANGE TESTID1 TRACE

In this case, a SECTRACE was also done that looked like this:

SMFID= TEST TOD= hh:mm:ss.mm TRACEID= TESTTRACE USERID= TESTID 
JOBNAME= TESTID ASID= 00xx PGM= *PATHNAM CURR RB= *PATHNAM 
SFR/RFR= 0/0:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE 
SAFDEF= SAFALL  INTERNAL MODE= GLOBAL 

RACROUTE REQUEST=AUTH,CLASS='SURROGAT',RELEASE=1.9.2,STATUS=NONE, 
ATTR=READ,DSTYPE=N,ENTITYX=('BPX.SRV.APACHE',PRIVATE), 
FILESEQ=0,GENERIC=ASIS,LOG=NOSTAT,MSGSP=0,TAPELBL=STD, 
WORKA= 

Looking at the ACFRPTRV report for the user trace information, we found this:

RSUR-BPX.SRV.APACHE TRC RSUR-BPX.SRV.**************************
uid of apache serverTEST ACF9CAUT RULE - DIRECTRY READ
YY.DDD MM/DD HH.MM source TESTID1 TEST1 LOGONID 0 0 0 0 0
SAF RESOURCE CLASS SURROGAT

RESOURCE NAME: BPX.SRV.APACHE 

So looking at the Lookup Key rule; 

$KEY(BPX.SRV.********************************) TYPE(SUR)
UID(*) ALLOW

This rule allowed all users to do the switch command in USS.  The ALLOW should be changed to a PREVENT and only authorized users should have an ALLOW statement.

$KEY(BPX.SRV.********************************) TYPE(SUR)
UID(*) PREVENT