ACF2 protected system with IBM Z Multi-Factor Authentication AZFSIDP1 factor RSA SecurID. ACF started task is active
Logonids can signon using either password or RSA Token, they should only be permitted to use RSA Token.

Release : 16.0

MFA was configured the AZFLDAP1 factor using both the PROFILE(USER) DIV(MFA) profile record method and the map an RSA userid to an ACF2 logonid using the $USERDATA line of a resource rule that is called RSAUMAP in the CASECMFA class method:

SET PROFILE(USER) DIV(MFA)
INSERT SY20076.AZFSIDP1 TAGS(SIDUSERID:E3020076 ) ACTIVE
INSERT SY17183.AZFSIDP1 TAGS(SIDUSERID:E3017183 ) ACTIVE

$KEY(RSAUMAP) TYPE(CAS)
$USERDATA(SSN)
$OWNER(AAM)

Only one of the above methods to map a logonid to a RSA userid should be done.

After removing the $KEY(RSAUMAP) TYPE(CAS) rule, issuing the F ACF2,REBUILD(CAS), and re-cycling the AZF#IN00 task and then logonids defined for RSA SecurID (AZFSIDP1) can only signon using a RSA token.