ACF2 Sensitive Privileges copied during "Insert Using" Audit Finding

book

Article ID: 195961

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

An audit of ACF2 found that sensitive privileges (DUMPAUTH, STC, RESTRICT) can be copied during an "Insert Using" process; privileges should be assigned on a case-by-case basis.  

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

The @CFDE entry for a logonid field has the operand "ZERO=NO|YES" which indicates whether the corresponding record field in the model is copied when using the INSERT USING subcommand. For the default of ZERO=NO, the record field is copied from the model. ZERO=YES prevents the field from being copied from the model.

The default @CFDE entry for the three logonid fields DUMPAUTH, STC, RESTRICT default to ZERO=NO. The following are the default definitions for these logonid fields.

@CFDE  STC,LIDMFLG,BIT,ALTER=SECURITY,LIST=ALL,                     X
            FLAGS=NULL+RESTRICT,BITMAP=LIDMSTC,GROUP=2             

@CFDE  RESTRICT,LIDMFLG,BIT,ALTER=SECURITY+ACCOUNT,LIST=ALL,        X
            FLAGS=NULL,BITMAP=LIDMRST,GROUP=2  

@CFDE  DUMPAUTH,LIDMFLG,BIT,ALTER=SECURITY,LIST=ALL,                X
            FLAGS=NULL+RESTRICT,BITMAP=LIDMRDMP,GROUP=2

If the @CFDE definitions in the ACFFDR are changed for these three fields to ZERO=YES the fields will not be copied when doing the INSERT USING subcommand.

Additional Information

Details on the @CFDE macro can be found in section: '@CFDE -- Create Field Definition Entry Macro' of the ACF2 documentation.

Details on updating the ACF2 FDR macros(including the @CFDE) can be found in section: 'Update the CA ACF2 Field Definition Record (ACFFDR)' of the ACF2 documentation.