How to provide ACF2 read/inquire only access to ACF2 for a project.There is AUDIT and CONSULT functions. AUDIT seems like the safer approach, but it still says that update access might still be allowed at a site. How can a site provide and ensure read only access to an ID?

How would a site make sure there is no rule allowing an person with audit to update security?

Release : 16.0
Component : CA ACF2 for z/OS

An end user who does not have the SECURITY, ACCOUNT, AUDIT, LEADER, CONSULT, or NON-CNCL logonid privileges can issue the ACF CHANGE subcommand in TSO/E or batch to change certain user password-related fields, if he has the proper access to the ACFCMD.USER.fieldname resources in the CASECAUT class within his scope (if scoping has been implemented). 

The following resource rule allows an end user, xxxxxxxx, to issue the ACF CHANGE subcommand in TSO/E or batch (including ACFBATCH) to change the PASSWORD field for another end user:

The resource name is ACFCMD.USER.PASSWORD
 
$KEY(ACFCMD)TYPE(AUT)
 USER.PASSWORD UID(uid string of xxxxxxxx) ALLOW

To determine if there are any CASECAUT TYPE(AUT) resource rule that allow a user to update or delete logonid records the ACFRPTRX report can be used. Sample JCL follows.

//REPORT  EXEC PGM=ACFRPTRX                            
//SYSPRINT DD SYSOUT=*                                 
//SYSUT1 DD   UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=30
//SYSUT2 DD   UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=30
//SYSIN    DD *                                        
TITLE(ACFRPTRX)                                        
ACF2                                                   
RSRC                                                   
TYPE(AUT)                                              
LID(xxxxxxxx)                                           
/*  

For additional details regarding the ACFRPTRX report see ACFRPTRX - The Logonid Access Report.