RACF Surrogate Checking

The platform server uses the RACF SURROGAT class to see whether a user is authorized to run a transfer under another user ID without specifying a password.

You can define the local user ID (LUSER) and password (LPASS) that are used to perform a file transfer. When both user ID and password are defined, the platform server validates the user ID/password combination, and performs the transfer under that user's credentials.

You can also specify a local user ID without specifying a local password. To avoid security violation, however, the platform server checks whether the initiating user ID is authorized to submit jobs under the authorization of the local user ID (LUSER). In RACF terms, this is called surrogate checking.
Note: Surrogate checking only applies to initiator tasks.

To define the SURROGAT facility under RACF, you can use the following RACF commands. 

RDEFINE SURROGAT userid1.SUBMIT UACC(NONE)
PERMIT userid1.SUBMIT CLASS(SURROGAT) ID(userid2) ACCESS(READ)
Where, userid2 is the user that submits the file transfer request, and userid2 wants to run the transfer as userid1.
Note: Depending on how the RACF system is defined, you might have to refresh the SURROGAT class after running the commands.

For example, the following RACF commands define TSO user OPER to run a transfer under the authorization of user ID CA7ONL. 

RDEFINE SURROGAT CA7ONL.SUBMIT UACC(NONE)
PERMIT CA7ONL.SUBMIT CLASS(SURROGAT) ID(OPER) ACCESS(READ)