Switching identity (surrogate)

The CIM server uses services which can be run in client or server security context. For this, the CIM server must be able to switch its user ID to the client user ID. To allow the CIM server for this, define BPX.SRV profiles for the SURROGAT class within your System Authorization Facility (SAF).

The recommended way to do this is:
  • Specify a general profile to allow the CIM server user ID to switch to any other z/OS user ID with a UNIX System Services segment defined.
    The following sample shows the required RACF® commands to create the generic profile, where the CIM server user ID is CFZSRV:
    SETROPTS CLASSACT(SURROGAT) RACLIST(SURROGAT) GENERIC(SURROGAT)
    RDEFINE SURROGAT BPX.SRV.** UACC(NONE)
    PERMIT BPX.SRV.** CLASS(SURROGAT) ACCESS(READ) ID(CFZSRV)
    SETROPTS GENERIC(SURROGAT) RACLIST(SURROGAT) REFRESH