ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Security Admin gets ACF04056 violation changing GROUP on logonid record

book

Article ID: 37702

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

Question:

Security Administrators are getting ACF04056 violation changing GROUP on logonid record.  We just added RSRCVLD bit to protect resources from Security Admins. After this change, all Security Admins trying to change a GROUP on the logonid record and got an ACF04056 violation.  Why?

Cause:

ACF2 validates the group rules for changes to the GROUP field on the logonid record.  This will only effect a Security Admins that have RSRCVLD or are scoped and not in the group.

 Answer:

First you need to decide if the Security Admin needs the access or if a full, unscoped Security Admin should make the change.  If you decide that all SECURITY logonids should be able to change all GROUP fields, then you need to add a rule.

 TSO ACF

SET RESOURCE(TGR)

COMPILE

.$KEY(********) TYPE(TGR)

. UID(uid string or group of the SECURITY ids) ALLOW

.end

STORE

SET CONTROL(GSO)

CHANGE INFODIR TYPES(R-RTGR) ADD

F ACF2,REFRESH(INFODIR)

F ACF2,REBUILD(TGR)

 

 

Environment

Release:
Component: ACF2MS