An audit of ACF2 found that sensitive privileges (DUMPAUTH, STC, RESTRICT) can be copied during an "Insert Using" process; privileges should be assigned on a case-by-case basis.
Release : 16.0
Component : CA ACF2 for z/OS
The @CFDE entry for a logonid field has the operand "ZERO=NO|YES" which indicates whether the corresponding record field in the model is copied when using the INSERT USING subcommand. For the default of ZERO=NO, the record field is copied from the model. ZERO=YES prevents the field from being copied from the model.
The default @CFDE entry for the three logonid fields DUMPAUTH, STC, RESTRICT default to ZERO=NO. The following are the default definitions for these logonid fields.
@CFDE STC,LIDMFLG,BIT,ALTER=SECURITY,LIST=ALL, X
@CFDE RESTRICT,LIDMFLG,BIT,ALTER=SECURITY+ACCOUNT,LIST=ALL, X
@CFDE DUMPAUTH,LIDMFLG,BIT,ALTER=SECURITY,LIST=ALL, X
If the @CFDE definitions in the ACFFDR are changed for these three fields to ZERO=YES the fields will not be copied when doing the INSERT USING subcommand.
Details on the @CFDE macro can be found in section: '@CFDE -- Create Field Definition Entry Macro' of the ACF2 documentation.
Details on updating the ACF2 FDR macros(including the @CFDE) can be found in section: 'Update the CA ACF2 Field Definition Record (ACFFDR)' of the ACF2 documentation.