How to allow ACF2 logonids with the LEADER privilege RESET or PASSWORD change.
Article ID: 133940
Updated On:
Products
Issue/Introduction
Sites may want to allow helpdesk logonids the ability to only RESET logonid or change PASSWORDs without giving them the SECURITY privilege.
Environment
Release :
Component : CA ACF2 for z/OS
Resolution
To allow help desk/operations staff to do password RESETs or changes you can give them the ACF2 logonid LEADER privilege and identify what fields in the logonid record that the HELP DESK needs to modify and then change the CFDE entry in the ACFFDR to include LEADER in the ALTER list. You can give HELP DESK personnel the ACF2 loginid LEADER privilege. For example, if you want the HELP DESK to
be able to CHANGE a user's password or RESET the password violation count, the CFDE entries for PASSWORD and PSWD-VIO would need to specify LEADER in the ALTER list. The steps to do this are as follows.
The CFDE for PASSWORD should include LEADER in the ALTER list. To make the change:
- Modify the password CFDE so that LEADER is included in the ALTER= list for the PASSWORD and PSWD-VIO field as follows:
Before:
@CFDE PASSWORD,LIDNPSWD,CHEN,ALTER=SECURITY+ACCOUNT+USER,
FLAGS=NEVER,PRTN=5,VRTN1=05,PROMPT=YES,
CBPROC=YES,STATUS=LOWERCSE
@CFDE PSWD-VIO,LIDIPSD,BINARY,ALTER=SECURITY,LIST=ALL,
FLAGS=LIMIT,GROUP=4,ZERO=YES,
VRTN2=14,COUNTER=YES
After:
@CFDE PASSWORD,LIDNPSWD,CHEN,
ALTER=SECURITY+ACCOUNT+USER+LEADER,
FLAGS=NEVER,PRTN=5,VRTN1=05,PROMPT=YES,
CBPROC=YES,STATUS=LOWERCSE
@CFDE PSWD-VIO,LIDIPSD,BINARY,ALTER=SECURITY+LEADER,LIST=ALL,
FLAGS=LIMIT,GROUP=4,ZERO=YES,
VRTN2=14,COUNTER=YES - Reassemble and link the ACFFDR, sample JCL can be found in member FDRJXB which can be found in the ACF2 installation library ..CAX1JCL0. The FDRJXB job uses USERMOD UM99901 which is also located in the same ..CAX1JCL0 library.
- Issue the console F LLA,REFRESH command.
- Issue the console F ACF2,NEWMOD(ACFFDR) command.
Feedback
