IronSphere Agent: Why is UID(0) needed?

IronSphere Agent: Why is UID(0) needed?

IronSphere checks run as Rexx execs under control of System Rexx. System Rexx execs run with the identity of the entity that start them. In this case, this is the Health Checker. 

IBM requires the Health Checker user-id (ACID in terms of Top Secret or LID if ACF2) to have either UID(0) or defined as superuser (i. e. be able to use SU to switch identity to root. At startup, if the health Checker associated User-id is defined as a root (UID(0)), it will switch to it immediately.   

IronSphere runs as a z/os task and use Unix System Services (USS) at the command level. It can't switch at the beginning of the task to root as it is not performing under unix most of the time. 

Below are the instructions titled "Setting up security for the IBM Health Check for Z/OS started task" from Z/OS 2.2 version of the "IBM Health Checker for Z/OS User's Guide" manual: 
 

You must set up security for 
IBM Health Checker for z/OS the same way you would for any other started task. To do this task with RACF®, do the following steps:
  1. Create a user ID for IBM Health Checker for z/OS and connect the superuser user ID to a group. Define the user ID with:
    • Superuser authority using either:
      • UID(0) explicitly assigned to the user ID.
      • Access to the BPX.SUPERUSER resource. The advantage of this method is that it might be more audit friendly, because you avoid having a user profile with UID(0) explicitly assigned to it.

        At runtime, IBM® Health Checker for z/OS® dynamically switches to (and stays in) an effective UID(0) superuser authority using the defined BPX.SUPERUSER access.

    • A home directory of HOME('/')
    • A program of PROGRAM('/bin/sh')