Description:

An ACF2 logonid that has access to the FACILITY class resource BPX.SUPERUSER is not equivalent to being defined as SUPERUSER UID(0), it only allows the user to switch to SUPERUSER UID(0) status.

Solution:

The SU (Switch User) command lets users under OMVS switch to the identity of another user. If no ID is specified, the user switches to a superuser, UID(0). This can be used as an alternative to assigning a user UID(0). The difference is that a user that is defined as SUPERUSER UID(0) does not need to issue the SU command to switch to UID(0). This distinction is important because if a user is running an OMVS application, SCRIPT, REXX EXEC or program that requires UID(0) the SU command must be issued to switch to UID(0) in order to have SUPERUSER authority, and in some cases that is not possible. BPX.SUPERUSER FACILITY class may not be sufficient in all cases where UID(0) is required.

The ability to switch to superuser status is controlled through the FACILITY class resource BPX.SUPERUSER. To control which users have the ability to use the su command, add rule entries to the BPX FACILITY resources rule, similar to this one, as appropriate:

$KEY(BPX) TYPE(FAC)
SUPERUSER UID(user_uid) ALLOW

A user can be defined as SUPERUSER UID(0) by specifying UID(0) on the ACF CHANGE or INSERT logonid command or by specifying UID(0) on the INSERT or CHANGE command for the ACF2 PROFILE(USER) DIV(OMVS) record for the user.

Details on the BPX.SUPERUSER resource can be found in the ACF2 Security for z/OS Administrator Guide in Chapter 22: Controlling Access to the Hierarchical File System, section "Controlling Access to Superuser Status".