ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to make sure there is no rule allowing Audit Privilege user to update security?

book

Article ID: 143792

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

How to provide ACF2 read/inquire only access to ACF2 for a project.There is AUDIT and CONSULT functions. AUDIT seems like the safer approach, but it still says that update access might still be allowed at a site. How can a site provide and ensure read only access to an ID?

How would a site make sure there is no rule allowing an person with audit to update security?

 

Environment

Release : 16.0
Component : CA ACF2 for z/OS

Resolution

An end user who does not have the SECURITY, ACCOUNT, AUDIT, LEADER, CONSULT, or NON-CNCL logonid privileges can issue the ACF CHANGE subcommand in TSO/E or batch to change certain user password-related fields, if he has the proper access to the ACFCMD.USER.fieldname resources in the CASECAUT class within his scope (if scoping has been implemented). 

The following resource rule allows an end user, HDADM2, to issue the ACF CHANGE subcommand in TSO/E or batch (including ACFBATCH) to change the PASSWORD field for another end user:

The resource name is ACFCMD.USER.PASSWORD
 
$KEY(ACFCMD)TYPE(AUT)
 USER.PASSWORD UID(uid string of HDADM2) ALLOW

To determine if there are any CASECAUT TYPE(AUT) resource rule that allow a user to update or delete logonid records the ACFRPTRX report can be used. Sample JCL follows.

//REPORT  EXEC PGM=ACFRPTRX                            
//SYSPRINT DD SYSOUT=*                                 
//SYSUT1 DD   UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=30
//SYSUT2 DD   UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=30
//SYSIN    DD *                                        
TITLE(ACFRPTRX)                                        
ACF2                                                   
RSRC                                                   
TYPE(AUT)                                              
LID(HDADM2)                                           
/*  

For additional details regarding the ACFRPTRX report see ACFRPTRX - The Logonid Access Report.