When a scoped user creates an ACF2 loginid with an INSERT USING command, the PREFIX field is empty. Other scoped users are able to INSERT a logonid and the PREFIX is populated normally. What is causing this discrepancy?

Release : 16.0

Component : ACF2 for z/OS

The DSN value of the SCOPE record for a scoped administrator determines whether or not the PREFIX value can be generated on an INSERT.

If adding the PREFIX field is desired when doing account administration, scoped administrators not only need access to the UID and LID in their scope, but they also need access to the logonid (or mask of the logonid) used as the PREFIX. This is because the PREFIX field grants a user full access to all datasets beginning with that PREFIX. If an administrator does not have access to the dataset, they should not be allowed to give unrestricted access of the datasets to others by use of the PREFIX field.

Note that this processing is different from specifying a PREFIX on a CHANGE command. By default, only unscoped security administrators can make changes to the PREFIX field. Changes can be made to the ACFFDR to allow scoped security admins access to make changes within their scope. KD article 201819: ACF2 won't let a scoped security administrator change the PREFIX field, getting ACF00112. outlines the change required.