Surrogate user ID
A surrogate user is a user who has the authority to do tasks on behalf of another user, by using the other user's level of authority.
Surrogate user IDs are necessary only when:
- The installation uses 'business unit support'.
- A single instance of the adapter supports a single RACF database.
- The IBM® Security Identity Governance and Intelligence has multiple service instances, each representing a different business unit within the organization.
Note: If a single IBM Security Identity Governance and
Intelligence service instance
supports all the RACF® IDs in the RACF database, surrogate user IDs are not
needed.
For the adapter to run requests by using these surrogate user IDs, you must define one or more RACF SURROGAT class profiles.
If
the adapter RACF user ID is ISIAGNT, and
the surrogate RACF user ID is
UNIT1, then the following commands define the
profile.
RDEFINE SURROGAT BPX.SRV.UNIT1
SETROPTS REFRESH RACLIST(SURROGAT)
PERMIT BPX.SRV.UNIT1 CLASS(SURROGAT) ID(ISIAGNT) ACCESS(READ)
SETROPTS REFRESH RACLIST(SURROGAT)In the preceding example, the RACF user ID UNIT1 is the user ID defined in the adapter service form. This RACF user has scope of authority over a specific business unit.
When surrogate user IDs are used, the tasks of altering and fetching RACF data are accomplished under the authority of the surrogate RACF user ID. The authority of the RACF user ID that the adapter is running as is not used. The RACF user ID for the adapter must have READ access to use the SURROGAT class profile.