The admin user issuing the CHANGE PWPHRASE command gets 'ACF0A017 NOT AUTHORIZED FOR REQUESTED FUNCTION' has:
- ACCOUNT and AUDIT privilege
- CASECAUT rules in place
Please note that to change a modifiable field, a user must have the proper access to the ACFCMD.USER.fieldname resource in the CASECAUT class within their scope.
Release : 16.0
Component : CA ACF2 for z/OS
To address the CASECAUT validation for CHANGE PWPHRASE command and a scoped user, following steps need to be done:
1. The scopelist need to include the proper INF scope
Since the password phrases are kept in user profile records in the info storage database, PUSRPWPHRASE followed by the logonid/mask needs to be added to the INF scope of logonid followed by a rebuild command as shown below:
CHANGE scopelistname ADD INF(PUSRPWPHRASE-) or CHANGE scopelistname ADD INF(PUSRPWPHRASElogonid-)
Where logonid- can be any specific logonid or a mask as needed.
2. CASECAUT validation processing need to be in place:
a. ADD AUT to the INFODIR:
CHANGE INFODIR TYPES(R-RAUT) ADD
b. Write the resource rules:
USER.PWPHRASE UID(uid string of user) ALLOW
USER.PWP-VIO UID(uid string of user) ALLOW
c. Load the new rules into storage:
3. Review the additional information section
It gives more information on PTFs needed for CASECAUT processing to work for logonids with ACCOUNT, AUDIT, LEADER or CONSULT privileges.
PTF SO09757 allows logonids to go through CASECAUT rule checking with ACCOUNT, AUDIT, LEADER, or CONSULT privileges.
PTF LU09247 adds an additional check for the LID/UID scope to see if an access to a user profile record is within that scope.
PTF LU09250 LU06571 changed the way we process a CHANGE command under either ACF or LID modes to update a PWPHRASE user profile record field. In this situation we made a decision to not insert the PWPHRASE record if it did not already exist when the change command was done.