ACF2 protected system with IBM Z Multi-Factor Authentication AZFSIDP1 factor RSA SecurID. ACF started task is active
Logonids can signon using either password or RSA Token, they should only be permitted to use RSA Token.
Release : 16.0
MFA was configured the AZFLDAP1 factor using both the PROFILE(USER) DIV(MFA) profile record method and the map an RSA userid to an ACF2 logonid using the $USERDATA line of a resource rule that is called RSAUMAP in the CASECMFA class method:
SET PROFILE(USER) DIV(MFA)
INSERT SY20076.AZFSIDP1 TAGS(SIDUSERID:E3020076 ) ACTIVE
INSERT SY17183.AZFSIDP1 TAGS(SIDUSERID:E3017183 ) ACTIVE
$KEY(RSAUMAP) TYPE(CAS)
$USERDATA(SSN)
$OWNER(AAM)
Only one of the above methods to map a logonid to a RSA userid should be done.
After removing the $KEY(RSAUMAP) TYPE(CAS) rule, issuing the F ACF2,REBUILD(CAS), and re-cycling the AZF#IN00 task and then logonids defined for RSA SecurID (AZFSIDP1) can only signon using a RSA token.