An audit of ACF2 found that sensitive privileges (DUMPAUTH, STC, RESTRICT) can be copied during an "Insert Using" process; privileges should be assigned on a case-by-case basis.  

The @CFDE entry for a logonid field has the operand "ZERO=NO|YES" which indicates whether the corresponding record field in the model is copied when using the INSERT USING subcommand. For the default of ZERO=NO, the record field is copied from the model. ZERO=YES prevents the field from being copied from the model.

The default @CFDE entry for the three logonid fields DUMPAUTH, STC, RESTRICT default to ZERO=NO. The following are the default definitions for these logonid fields.

@CFDE  STC,LIDMFLG,BIT,ALTER=SECURITY,LIST=ALL,                     X
            FLAGS=NULL+RESTRICT,BITMAP=LIDMSTC,GROUP=2             

@CFDE  RESTRICT,LIDMFLG,BIT,ALTER=SECURITY+ACCOUNT,LIST=ALL,        X
            FLAGS=NULL,BITMAP=LIDMRST,GROUP=2  

@CFDE  DUMPAUTH,LIDMFLG,BIT,ALTER=SECURITY,LIST=ALL,                X
            FLAGS=NULL+RESTRICT,BITMAP=LIDMRDMP,GROUP=2

If the @CFDE definitions in the ACFFDR are changed for these three fields to ZERO=YES the fields will not be copied when doing the INSERT USING subcommand.

Details on the @CFDE macro can be found in section: CFDE -- Create Field Definition Entry Macro of the ACF2 documentation.

Details on updating the ACF2 FDR macros(including the @CFDE) can be found in section: Update the CA ACF2 Field Definition Record (ACFFDR) of the ACF2 documentation.