CASECAUT PWPHRASE processing in ACF2 for a Scoped user
search cancel

CASECAUT PWPHRASE processing in ACF2 for a Scoped user

book

Article ID: 220872

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

The admin user issuing the CHANGE PWPHRASE command gets 'ACF0A017 NOT AUTHORIZED FOR REQUESTED FUNCTION' has:

- ACCOUNT and AUDIT privilege 

- Scopelist

- CASECAUT rules in place

Please note that to change a modifiable field, a user must have the proper access to the ACFCMD.USER.fieldname resource in the CASECAUT class within their scope.

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

To address the CASECAUT validation for CHANGE PWPHRASE command and a scoped user, following steps need to be done:

1. The scopelist need to include the proper INF scope

Since the password phrases are kept in user profile records in the info  storage database, PUSRPWPHRASE followed by the logonid/mask needs to be added to the INF scope of logonid followed by  a rebuild command as shown below:

SET SCOPE(SCP)

CHANGE scopelistname ADD INF(PUSRPWPHRASE-) or CHANGE scopelistname ADD INF(PUSRPWPHRASElogonid-) 

Where logonid- can be any specific logonid or a mask as needed.

F ACF2,REBUILD(SCP),CLASS(S)

2. CASECAUT validation processing need to be in place:

a. ADD AUT to the INFODIR:

    TSO ACF
    SET CONTROL(GSO)
    CHANGE INFODIR TYPES(R-RAUT) ADD
    F ACF2,REFRESH(INFODIR) 

b. Write the resource rules: 

     $KEY(ACFCMD) TYPE(AUT)
     USER.PWPHRASE UID(uid string of user) ALLOW
     USER.PWP-VIO UID(uid string of user) ALLOW

c. Load the new rules into storage:

     F ACF2,REBUILD(AUT)

3. Review the additional information section

It gives more information on PTFs needed for CASECAUT processing to work for logonids with ACCOUNT, AUDIT, LEADER or CONSULT privileges.

 

Additional Information

 

PTF SO09757 allows logonids to go through CASECAUT rule checking with ACCOUNT, AUDIT, LEADER, or CONSULT privileges.

PTF LU09247 adds an additional check for the LID/UID scope to see if an access to a user profile record is within that scope.

PTF LU09250 LU06571 changed the way we process a CHANGE command under either ACF or LID modes to update a PWPHRASE user profile record field. In this situation we made a decision to not insert the PWPHRASE record if it did not already exist when the change command was done.

Powered by Wolken Software