Defining Shared User IDs
Using the RACF® LOGON BY function, you can define shared user IDs. Multiple users can log on to another user ID using their own password. This function uses:
- The BY option of the LOGON command to specify the surrogate user
- The SURROGAT class to perform authorization checks for logons to shared user IDs
RACF allows one user ID to log on to a shared user ID if that user has at least READ access to the SURROGAT profile named LOGONBY.shared_userid.
The SURROGAT profile also controls the ability to issue the CP FOR command against the same target user ID. See Protecting the FOR Command for more information. The SURROGAT profile is used when LOGONBY authority is checked by DIAGNOSE X'88'. See Protecting the DIAGNOSE X'88' Subcodes for more information.
To understand the function, you need to become familiar with the
following terms:
- shared user ID
- User ID that has the capability of being logged onto by a different user.
- surrogate user
- Person logging on to the shared user ID.
- direct logon
- A “traditional” logon, in which you log on to your own user ID.
- shared logon
- A logon in which a surrogate user uses the BY option of the LOGON command to logon to a different user ID. The surrogate user operates with the RACF authority of the shared user ID.
With this support, you can share user IDs without compromising
system security. To protect system security:
- The surrogate user's password is used to access the shared user ID. This avoids the need for users to share passwords.
- An audit trail identifies the surrogate user whenever work is performed by the shared user ID.