Security Administrators are getting ACF04056 violation changing GROUP on logonid record.  We just added RSRCVLD bit to protect resources from Security Admins. After this change, all Security Admins trying to change a GROUP on the logonid record and got an ACF04056 violation.  Why?

ACF2 validates the group rules for changes to the GROUP field on the logonid record.  This will only effect a Security Admins that have RSRCVLD or are scoped and not in the group.

First you need to decide if the Security Admin needs the access or if a full, unscoped Security Admin should make the change.  If you decide that all SECURITY logonids should be able to change all GROUP fields, then you need to add a rule.

 TSO ACF

SET RESOURCE(TGR)

COMPILE

.$KEY(********) TYPE(TGR)

. UID(uid string or group of the SECURITY ids) ALLOW

.end

STORE

SET CONTROL(GSO)

CHANGE INFODIR TYPES(R-RTGR) ADD

F ACF2,REFRESH(INFODIR)

F ACF2,REBUILD(TGR)