How to make sure there is no rule allowing Audit Privilege user to update security?

book

Article ID: 143792

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

How to provide ACF2 read/inquire only access to ACF2 for a project.There is AUDIT and CONSULT functions. AUDIT seems like the safer approach, but it still says that update access might still be allowed at a site. How can a site provide and ensure read only access to an ID?

How would a site make sure there is no rule allowing an person with audit to update security?

 

Environment

Release : 16.0
Component : CA ACF2 for z/OS

Resolution

An end user who does not have the SECURITY, ACCOUNT, AUDIT, LEADER, CONSULT, or NON-CNCL logonid privileges can issue the ACF CHANGE subcommand in TSO/E or batch to change certain user password-related fields, if he has the proper access to the ACFCMD.USER.fieldname resources in the CASECAUT class within his scope (if scoping has been implemented). 

The following resource rule allows an end user, HDADM2, to issue the ACF CHANGE subcommand in TSO/E or batch (including ACFBATCH) to change the PASSWORD field for another end user:

The resource name is ACFCMD.USER.PASSWORD
 
$KEY(ACFCMD)TYPE(AUT)
 USER.PASSWORD UID(uid string of HDADM2) ALLOW

To determine if there are any CASECAUT TYPE(AUT) resource rule that allow a user to update or delete logonid records the ACFRPTRX report can be used. Sample JCL follows.

//REPORT  EXEC PGM=ACFRPTRX                            
//SYSPRINT DD SYSOUT=*                                 
//SYSUT1 DD   UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=30
//SYSUT2 DD   UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=30
//SYSIN    DD *                                        
TITLE(ACFRPTRX)                                        
ACF2                                                   
RSRC                                                   
TYPE(AUT)                                              
LID(HDADM2)                                           
/*  

For additional details regarding the ACFRPTRX report see ACFRPTRX - The Logonid Access Report.