I am getting the 'ACF00103 NOT AUTHORIZED TO CHANGE FIELD ACCOUNT' message when trying to INSERT a logonid with 'CANCEL' even though I have access to the CASECAUT Resource 'ACFCMD.USER.CANCEL', why?

book

Article ID: 15096

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction



I am getting the 'ACF00103 NOT AUTHORIZED TO CHANGE FIELD ACCOUNT' message when trying to INSERT a logonid with 'CANCEL' even though I have access to the CASECAUT Resource 'ACFCMD.USER.CANCEL', why?

Environment

Release:
Component: ACF2MS

Resolution

The 'ACF00103 NOT AUTHORIZED TO CHANGE FIELD ACCOUNT' message is based on comparing the privileges(SECURITY, ACCOUNT, and LEADER) of the logonid issuing the INSERT command to the authority requirements the @CFDE macro of the fields specified on the INSERT command. 

If the ALTER= parameter of the entry has "ALTER=SECURITY" and not ALTER=SECURITY+ACCOUNT" then that would explain why the ACF00103 error is occurring. 

Please note the CASECAUT Resource check for ACFCMD.USER.CANCEL is only checked for CHANGE commands not INSERT commands so the $KEY(ACFCMD.USER.CANCEL) TYPE(AUT) rule would allow CHANGE id CANCEL but not INSERT id CANCEL.