There are ACF2 logonids that do not have a password, but also do not have RESTRICT or STC set. These accounts do not show any ACCESS date or time but SEC-VIO and UPD-TOD are being updated, so they are being used.

How do I determine if RESTRICT, STC or a PASSWORD should be set to protect these accounts?

Can anyone submit a JCL with these logonids and gain the access that the account has?  Does ACF2 check for SURROGAT rules when PASSWORD is not supplied in the JCL even if the account does not have a PASSWORD?

A way to prevent these types of logonids in the future is to make sure that the GSO PSWD parameter PSWDREQ is set. This setting is the default and recommended value and prevents logonids from being INSERTed or CHANGEd without a password if RESTRICT or STC are not set. If RESTRICT or STC is removed from a logonid, the PSWDREQ|NOPSWDREQ setting of the GSO PSWD record comes into effect. PSWDREQ will also address possible audit and security concerns regarding an unauthorized user taking over a new user's logonid prior to the new user's first logon. 

The use of the NOPSWDREQ option allows a logonid to be inserted without a password.  A password would still be required for logon, but during that first logon ANY password could be used that satisfies the other new pswd requirements set in the PSWD record, ie length, special characters, pairs, numbers, letters, etc.

When INSERTing a new logonid with NOPSWDREQ set, the new logonid will be inserted(created) without a password and the first time the user logs on they will be prompted for a password.  When INSERTing a new logonid with PSWDREQ set, the INSERT/CREATE will not be allowed unless PASSWORD(xxxxxxx) is specified, and the first time a user logs on he will have to enter that password.                                                                  
                                                                           
When changing a logonid that does not have a PASSWORD defined in the logonid record and PSWDREQ is set, the CHANGE command will not be allowed unless PASSWORD(xxxxxxxx) is specified.  This can occur if the logonid was created without a PASSWORD prior to PSWDREQ was set or if the CHANGE command is removing the RESTRICT or STC privilege from a logonid---since RESTRICT and STC logonid do not require a password.                   

Regardless of the GSO PSWD PSWDREQ setting, since these accounts do not have RESTRICT or STC specified, they do require a password in order to submit a batch job. However, since the password is not set for these ID's, anyone can specify a password in the JOB card for these users and the PSWD-TOD would be set. After that, a password has been specified and the same password would need to continue being specified when submitting jobs. 

If a password is not set and a password is not specified on the JOB card, the job will fail with an ACF01007 error unless a SURROGAT rule is in place. When a SURROGAT rule is in place, the ACC-CNT, ACC-DATE, ACC-SOURCE, and ACC-TIME will be updated.  Submitting the job with a password specified on the JOB card and a SURROGAT rule in place will set the password for the logonid and the PSWD-TOD will be set.

The UPD-TOD is updated whenever an administrator makes a change to a logonid. This could mean at one point in time these accounts did have RESTRICT or STC specified, but an administrator made changes to these IDs. 

Before making changes to these logonids, these are the things to keep in mind:
Are the IDs still in use?
What are these IDs being used for and how are they being used?
Are there SURROGAT rules in place for the IDs?
Are there STC records for these IDs?

For information about PSWDREQ and other GSO PSWD options, please see the ACF2 documentation section Password Maintenance and Support (PSWD).