Top Secret

 View Only
  • 1.  ACID() or SURROGAT(.SUBMIT)?

    Posted Mar 27, 2018 11:42 AM

    SURROGAT(acid.SUBMIT) gives one the authority to submit batch jobs with USER=acid on the job card without having to know the password.  So does ACID(acid).  So why does TSS have this extra class?  I figure there must be some difference between them.  Anyone know?

  • 2.  Re: ACID() or SURROGAT(.SUBMIT)?
    Best Answer

    Broadcom Employee
    Posted Mar 27, 2018 06:29 PM



    SURROGAT resource class is not only used for cross authorization checks, but it is also used in CICS, Lotus Domino Go Webserver, OPC/ESA, JES and Websphere for different purposes aside from cross authorization authority.


    Couldnt find anything off hand that discusses the difference between PERMITing a user to an acid vs using SURROGAT checking in JES. This will need further research. Please open a ticket support if you would us to pursue it further.




    Joseph Porto - CA Level 1 Support

  • 3.  Re: ACID() or SURROGAT(.SUBMIT)?

    Broadcom Employee
    Posted Mar 28, 2018 08:25 AM

    Hi Bob,


      SURROGAT is an IBM defined class to z/OS that is used by Top Secret, RACF, and ACF2.  It is not special to Top Secret.

  • 4.  Re: ACID() or SURROGAT(.SUBMIT)?

    Posted Mar 28, 2018 08:41 AM

    Joseph Porto,

    CA-TSS manual only shows SURROGAT usage with:

    Prefix length
    Two to 17 characters
    When used with TSS PERMIT/REVOKE, this resource class has the following format:


    Does it work also with SURROGAT(acid.SUBMIT) ?     If so, would the following work and allow removal of NOSUBCHK from CICS regions?    Permit SURROGAT(*.SUBMIT)ACC(READ)ACTION(AUDIT) to the CICS region and then PERMIT SURROGAT(MSCA.SUBMIT)ACC(NONE) ? 

  • 5.  Re: ACID() or SURROGAT(.SUBMIT)?

    Posted Jul 25, 2018 04:08 PM



    I ran some tests and see no indication that resource ID "{accessor-id-8}.SUBMIT" in resource class ID "SURROGAT" is being checked.


    John P. Baker