ChangeMan team is working on upgrading ChangeMan ZMF from version 7.1.3 to version 8.1.0.  

They received this error "ACF01006 A PASSWORD IS NOT ALLOWED FOR LOGONID XXXXXXX "

Serena product support provided the following information:

 "if the customer runs a job under a userid which is defined to the security package as protected and that job requests services of a SerNet STC running on a remote LPAR then there are two requirements and a 'gotcha'. The first requirement is that the customer must code a <userid> tag specifying the id of an unprotected userid and the second is that that userid be allowed access to the RACF impersonation class whose name is held within SERLCSEC. The 'gotcha' is that ACF2 must maintain the ACEE in the same way as RACF; specifically, this means that a protected userid must be noted as such via the ACEENPWR bit setting for flag ACEEFLG3. If these three factors are addressed then all should work. 

So please forward this to your ACF2 person and hopefully they will know what to do. "

This is what they initially asked me to setup in ACF2. 

New Facility rule 

$KEY(SERENA) TYPE(FAC) 

SERNET.AUTHUSR UID(XXXXXXX) SERVICE(READ) ALLOW 

New PTKTDATA profile: 

SET PROFILE(PTKTDATA) DIVISION(SSIGNON)

list like(se-) 

SSIGNON / SERNET LAST CHANGED BY YYYYYYY ON MM/DD/YY-HH:MM 

MULT-USE SSKEY(*SUPPRESSED*) 

PROFILE 

Because you were requested to setup a passticket profile record and the logonid being used is a RESTRICT logonid, you need to add the PTICKET attribute to the logonid record.

Without the PTICKET attribute a "password" will be passed for the logon request - but a password is not normally allowed for a restrict logonid. 

ACF

SET LID

CHANGE XXXXXXX PTICKET

END