Is there a setting that is either turned on or turned off in ACF2 for the SAF interface?
If security set in TPX as ACF2 users are forced to enter a password when logging in to TPX.
If security set to SAF in TPX the user can get in without entering a password.
Release : 16.0
Component : CA ACF2 for z/OS
The issue where a TPX used can logon without a password when TPX security is set to SAF is related to resource class VERPSWD validations. When a RACROUTE REQUEST=VERIFY with PASSCHK=YES is done for a logonid, there will also be a validation issued for a RACROUTE REQUEST=AUTH,CLASS=VERPSWD,LOG=NOFAIL,ENTITYX=('userid.NOPSWD') where userid is the LOGONID and the logonid of the requester will be used for the validation. There is an internal ACF2 GSO CLASMAP that maps the VERPSWD resource class to TYPE(PWD).
The sectrace shows that job (STC) TPX, issues a VERIVY CREATE for user TESTUSR, which specifies PASSCHK=YES. When no password is provided in this verify call, ACF2 issues an additional call(AUTH call for class VERPSWD) to see if the issuer of the VERIFY, in this case TPX, is authorized to use/verify logonid TESTUSR without a password. The object (ENTITYX) being validated is "TESTUSR.NOPSWD" and the return code of 0 for this check indicates that there is an ACF2 resource rule to ALLOW TPX access to use TESTUSR.
To address this, the rule for TESTUSR.NOPSWD needs to be changed to deny (prevent) the access by TPX.
Recommend list all TYPE(PWD) rules in order to code an appropriate rule, from TSO, ACF:
Possible rule to address the problem:
NOPSWD UID(uid string for TPX) PREVENT
For additional information on VERPSWD see ACF2 Documentation section: "VERPSWD".