search cancel

How to allow ACF2 logonids with the LEADER privilege RESET or PASSWORD change.

book

Article ID: 133940

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

Sites may want to allow helpdesk logonids the ability to only RESET logonid or change PASSWORDs without giving them the SECURITY privilege.

Environment

Release :

Component : CA ACF2 for z/OS

Resolution

To allow help desk/operations staff to do password RESETs or changes you can give them the ACF2 logonid LEADER privilege and identify what fields in the logonid record  that the HELP DESK needs to modify and then change the CFDE entry in the ACFFDR to include LEADER in the ALTER list. You can give HELP DESK personnel  the ACF2 loginid LEADER privilege. For example, if you want the HELP DESK to  

be able to CHANGE a user's password or RESET the password violation count,   the CFDE entries for PASSWORD and PSWD-VIO would need to specify LEADER in the ALTER list. The steps to do this are as follows.

  

The CFDE for PASSWORD should include LEADER in the ALTER list. To make   the change:    

  1. Modify the password CFDE so that LEADER is included in the ALTER= list for the PASSWORD and PSWD-VIO field as follows:

     Before:  
     @CFDE PASSWORD,LIDNPSWD,CHEN,ALTER=SECURITY+ACCOUNT+USER,                   
                FLAGS=NEVER,PRTN=5,VRTN1=05,PROMPT=YES,                         
                 CBPROC=YES,STATUS=LOWERCSE                                       

     @CFDE PSWD-VIO,LIDIPSD,BINARY,ALTER=SECURITY,LIST=ALL,                     
                 FLAGS=LIMIT,GROUP=4,ZERO=YES,                                   
                 VRTN2=14,COUNTER=YES                                             

     After:                                                                       

     @CFDE PASSWORD,LIDNPSWD,CHEN,                                               
                 ALTER=SECURITY+ACCOUNT+USER+LEADER,                             
                 FLAGS=NEVER,PRTN=5,VRTN1=05,PROMPT=YES,                         
                 CBPROC=YES,STATUS=LOWERCSE                                       

     @CFDE PSWD-VIO,LIDIPSD,BINARY,ALTER=SECURITY+LEADER,LIST=ALL,               
                 FLAGS=LIMIT,GROUP=4,ZERO=YES,                                   
                 VRTN2=14,COUNTER=YES      
  2. Reassemble and link the ACFFDR, sample JCL can be found in member FDRJXB which can be found in the ACF2 installation library ..CAX1JCL0. The FDRJXB job uses USERMOD UM99901 which is also located in the same ..CAX1JCL0 library.
  3. Issue the console F LLA,REFRESH command.
  4. Issue the console F ACF2,NEWMOD(ACFFDR) command.